B.2 How PlateSpin Recon Collects Data

PlateSpin Recon has three sequential stages to its data collection.

B.2.1 Discovery

Domain Discovery: PlateSpin Recon uses Windows Active Directory via LDAP to scan the network for a list of the machines on the specified domain. By default, this includes only online machines, but there is an option to include offline machines as well.

An Organizational Unit (OU) filter can also be specified, narrowing the area of the domain that PlateSpin Recon will poll during discovery. An Organization Unit is a container within a domain where computers can reside for segmentation. For example, if your domain has OU containers setup for each department, you can tell PlateSpin Recon to just look for machines within a specific department within the domain.

PlateSpin Recon only uses OU filters during discovery. Machines discovered in this way are unaffected during inventory and monitoring should machines be moved out of their previous OU containers. For more information on Organization Units and if they are in use in your domains, check with your System Administrator.

Subnet, IP Range Scan: For each machine in the subnet or IP range, PlateSpin Recon pings the machine. If it replies, it is considered a discovered machine.

Another option is to port scan through TCP, UDP or both. PlateSpin Recon tries to connect to ports and records which ports are being used. This option must be used with caution because network security might consider this an attack.

B.2.2 Inventory

Linux, Solaris, and ESX 2.x

  • PlateSpin Recon sends the getplatform script, which returns the architecture and glibc version of the machine being inventoried.

  • Based on getplatform, PlateSpin Recon uses the SCP protocol to transfer a platform-specific inventory binary and libraries to the /tmp directory of the machine being inventoried.

  • Over ssh, PlateSpin Recon executes the binary, streaming the command file over stdin.

  • Logs and progress files are streamed back from the inventoried machine to the PlateSpin Recon Server using stderr while the machine XML is streamed over stdout.

ESX 3.x/4.x, ESXi 5.0, and Virtual Center

  • PlateSpin Recon runs the executable locally on the PlateSpin Recon Server.

  • The executable accesses ESX 3.x/4.x, ESXi 5.0, or Virtual Center Web services, which provide the necessary inventory data.

Microsoft Windows Inventory

  • If you are inventorying a Windows machine, you must make sure that WMI is installed and running on the machine. For Widows NT, you must manually install WMI components. For more information on downloading and installing WMI on Windows NT, see Windows Management Instrumentation (WMI) CORE 1.5 (Windows NT 4.0) at the Microsoft Download Center.

    To establish connection with the target Windows machine and to run the Inventory executable on the target machine, PlateSpin Recon by default uses WMI. If WMI fails, PlateSpin Recon uses the Remote Service as a failover. You can configure PlateSpin Recon to always use the Remote Service instead of WMI of the target machine:

    1. In PlateSpin Recon Client, click the Tools menu.

    2. Press the Ctrl key and click Options.

      The Server page of the Options dialog box is displayed by default.

    3. In the Inventory category, click the plus sign (+) next to Advanced.

    4. Change the value of Install Remote Service to True.

    5. Click OK.

    PlateSpin Recon copies the inventory executable to the ADMIN$ share on the target machine.

B.2.3 Monitoring

To understand the PlateSpin Recon Monitoring process, review the following sections:

Linux, Solaris, AIX, and ESX 2.x

  • PlateSpin Recon sends a script (lininfo.sh lininfo.sh, solinfo.sh, aixinfo.sh, or esxinfo.sh) to the machine being inventoried.

  • The script is run through ssh.

  • The ssh server must be enabled for monitoring to function.

  • Logs are streamed back to the PlateSpin Recon Server over stderr.

  • Performance data is streamed back over stdout.

ESX 3.x/4.x, ESXi 5.0, and Virtual Center

  • PlateSpin Recon calls ESX 3.x/4.x, ESXi 5.0, or Virtual Center Web services, which provide the necessary performance data.

Microsoft Windows

  • PlateSpin Recon uses the Windows Performance Counter API to retrieve performance data. It does not use WMI.

  • The Remote Registry service must be enabled for Windows monitoring to function.