Hi Gillian, I found the following reply in the forum that explains some details about asset radar logs and seems like the use of SPAN, RSPAN and ERSPAN will work only for asset radar visibility.  Not for appending additional asset details like Vendor, Model and Operating System unless there is a scanning server in each subnet:

Packets (IP/MAC combinations) captured via Asset Radar don't always necessarily generate new assets or link to existing assets. The asset radar packet capturing isn't fully integrated into asset scanning. When asset radar is enabled (not set to logging only), IP addresses found by capturing packets are sent to the scanning queue, and this IP then runs through the regular IP scanning logic. 

It's important to note that only the IP address is sent to the queue, the scanning queue currently cannot handle IP/MAC address combinations. This may result in the IP scan not finding a MAC address, while asset radar did. The asset radar logs are joined on asset tables based on the MAC address. If no asset with the same MAC address is found, a question mark will be shown, as no asset was found that with a high degree of certainty is related to that specific log entry.

Lansweeper can retrieve MAC addresses from assets through regular scanning in the following ways:

1. By authenticating successfully via a protocol that will return a MAC address, e.g. WMI (Windows), SNMP, SSH (Linux/Mac), etc.
2. By performing an ARP lookup (locally on the scanning server). This will only return a MAC address for assets in the same subnet as your scanning server.

If you're capturing packets from outside of the subnet of your scanning server, you may end up with a situation where your asset radar log entry for a specific IP address is more detailed than the asset that was generated for the same IP address, most notably the log having a MAC address while the asset does not. In this case, a link cannot be made.

Lansweeper uses the network interface that's highest in the binding order for IP scans, which may not be the interface that is in the same subnet as the captured packet. To ensure that the resulting assets from captured packets always have a MAC address, you'd need to use multiple scanning servers and limit yourself to an interface per server.

Kindly request your help to clarify this.

Regards

Hi Gilian, can you pls clarify the the previous post?.

Thks!

Hi @DonMario73 ,

That's right, thanks to any SPAN method, you'll get an entry inside the asset radar logs for new mac and/or IP addresses found for assets which aren't located inside of the subnet where the scan server (with asset radar) is located.

Once these are picked up, they get sent to the IP queue of that scan server where the scanner will try to ping the device and depending on a successful connection get more details from the asset.

In the background it uses "Save pinged IP" as mentioned here: "if checked, asset pages will be generated for all IP addresses that respond to a ping request, even if no data can be pulled from any of the following protocols"

So if you want assets to be created for them as well, you could configure your network access to allow ping requests from your scan server in his subnet to all other devices in the other subnets. In this way, assets will be created/updated for the asset radar log entries.