At Network Perception, we have combined our vast expertise of critical asset protection with next-gen technology to guide our customers on a path to cyber resiliency.
The journey starts with establishing a clear baseline and verifying that internal risk mitigation controls are followed.
The next step consists of gaining an accurate visibility of network architecture and cybersecurity posture.
Finally, developing a continuous monitoring approach to gain velocity and adapt quickly to disruptions.
NP-View is designed to run on a Windows 10 or Windows 11 with a recommended configuration of a 10th Gen Quad Core Processor and 16GB of RAM. This configuration should be sufficient for processing large data files up to 500,000 lines. Simultaneously loading and analyzing multiple devices with larger configuration files will maximize the use of available system resources and additional RAM may be required.
Installation Process
Sign up on the Portal website to download the latest version of NP-View Desktop and to download a license key. A SHA256 checksum is supplied with each download. You can calculate the checksum on the files you download to verify the integrity of the files:
Windows Powershell: Get-FileHash /the/full/path/to/your/filename.exe | Format-List
Once installed, NP-View will automatically launch.
Allow ports for private/public network if prompted.
NP-View has been designed to run offline, which means that the network connections attempted towards a public NTP server, the local DNS server, and the Network Perception update server are optional and do not affect the system if the internet is unavailable. More information on configuring NP-View can be found here.
NP-View Desktop is a resource intensive application. For best performance, please ensure your system’s Power plan is set to High performance.
If you have administrator access, you can enable Ultimate Performance by opening the command prompt as administrator and copy paste: powercfg -duplicatescheme e9a42b02-d5df-448d-aa00-03f14749eb61 and press enter.
Windows control panel:
First Login
Upon first login, NP-View Desktop will require you to create an administrator account. Fill in the required information and click the “Create the NP-View administrator account” button. The password can be as simple or as complex as the user desires but needs to be at least 8 characters.
Local authentication is for users who wish to add an additional layer of protection. With this, the user can use whatever e-mail address and password they choose. If the user logs out of the system, the user id and password will be required upon subsequent application launches. Otherwise, the session remains open and authentication is not required.
Read and accept the user agreement.
Next, you will need to enter your license key. Once input, click the “Add license key” button.
Select your preferences for checking for automatic updates (requires internet access) and participation in our voluntary improvement program. Both selections use a slider that is default to off. To opt in, click the button and it will slide to the right. Click the save preferences button to complete.
Next click the get started button
User Menu
Access to the Help Center, License Manager, Update Manager and other administrative functions can be found on the User Menu located in the top-right corner of the Workspaces page.
Getting Started
On the Workspaces Page, NP-View provides a demo workspace as well as the ability to start creating your own workspaces. Click here to learn more about using workspaces.
Software Version
If you contact technical support, they will ask you for the software edition and version you are running. It can be found on the bottom left corner of the home screen.
Software Uninstall
To uninstall NP-View Desktop,
Windows 10/11: use the add or remove programs feature to remove the software
Use the add or remove programs feature to remove the software
Delete folder: ~AppData/Roaming/NP-View
Delete folder: ~AppData/Local/Programs/NP-View
Delete folder: ~AppData/Local/np-view-updater
Password Reset
Remove the file at the location listed below and restart the application to input your credentials.
Windows: Delete the file ~AppData/Roaming/NP-View/db/auth_provider.cfg and then restart NP-View.
License Changes / Upgrades
If you input a new license key from network perception, the user must log out and log back in for the changes to take effect. Note that the license key function is only available from the home screen (not from within a workspace).
Upload File Size Limit
NP-View enforces a maximum file size of 300MB per file by default.
Windows Path/File Name Length Limit
Microsoft Windows has a MAX_PATH limit of 256 characters. If the path and filename exceed 256 characters, the file import will fail.
For example: C:\Users\<username>\AppData\Roaming\NP-View\db\workspace\<np-view-user>@<workspace>\devices\<filename>
NP-View Server has been designed to be easily installed by a single person who has moderate Linux skills. This article provides step-by-step instructions on the installation process, which includes:
Provisioning a server
Downloading NP-View server
Installing NP-View server
Installing a SSL Certificate
NP-View is accessed through a web browser (Edge, Chrome, Firefox) running on a modern operating system (Windows 11 or later, macOS 14 or later, Ubuntu 23 or later).
Provisioning a Server
The following table documents the CPU, memory, and disk requirements based on the number of network device configuration files monitored by NP-View server:
Number of network devices monitored
(firewall, router, switch) / concurrent users
Min. CPU
Memory
Disk Space
Up to 50 devices / 3 concurrent users
8-core
32GB
400GB
Up to 100 devices / 4 concurrent users
16-core
64GB
800GB
Up to 250 devices / 5 concurrent users
32-core
128GB
1.5TB
Up to 500 devices / 6 concurrent users
64-core
256GB
3TB
Greater than 500 devices please contact support to discuss requirements.
Recommended as the minimum for most Professional Server users.
Note: loading and analyzing devices utilizes the majority of the CPU and Memory capacity. The higher the server capacity and the faster the CPU, the faster devices will load and be analyzed.
Network ports used by NP-View server
The following ports are used by NP-View server. Please ensure these ports are open on your firewall for proper communication.
Required ports:
TCP/22: SSH server to provide secure console access to the NP-Live server
TCP/443: access to NP-View Web UI through HTTPS
TCP/8443: access to NP-View connectors Web UI through HTTPS
Optional ports:
TCP/80: access to NP-View Web UI through HTTP
TCP/389: access to Active Directory / LDAP for LDAPv3 TLS
TCP/445: access to NP-View SMB Connector
TCP/636: access to Active Directory / LDAPS for TLS/SSL
TCP/8080: access to NP-View connectors Web UI through HTTP
Firewall Rules
The source IP should be the client workstation that will access NP-View and the destination IP should be the NP-View Linux server.
Downloading NP-View Server
Sign up on the Portal website to download the latest version of NP-View server and the license key. A SHA256 checksum is supplied with each download by clicking on the “show checksum” link. You can calculate the checksum on the files you download to verify their integrity:
Windows 10/11 using Powershell: Get-FileHash /the/full/path/to/your/file/name/extension | Format-List
MACOS: shasum -a 256 /full/path/to/your/file/name/extension
Installing NP-View Server
NP-View server is a Linux application. It can be installed on a virtual machine or physical hardware. There are 2 package formats available:
NP-View Virtual appliance (~2GB OVF) that works on all major hypervisor with support for the .vmdk disk format (e.g., VMWare ESXi).
NP-View Linux installer (~600MB) that works on all major Linux distributions on which Docker can be installed
The NP-View OVF uses Ubuntu Server 22.04 LTS or later. Root access is provided (see the text file provided with the .OVF) so the operating system can be periodically updated. This option should be used for new installations. The NP-View Linux installer is used to update NP-View on an existing system or for a new install on a Linux server.
Note: Network Perception does not recommend running NP-View in a double virtualized environment (Linux VM encapsulated within a Windows VM) as the operation of connectors, notifications and external interfaces can be unpredictable.
Option 1: Using the NP-View Linux Installer
Once downloaded from the portal, follow the steps below to complete the install:
Move installer to server – This may require ssh or other user account permissions
Place the file in a location you can access from the terminal
/tmp – this is a temp folder available at the root directory
/opt/np-live – this is the default NP View server root directory
You can use the “ls” command to see what is in your current directory
Log into the terminal or use SSH (Putty, PowerShell, etc.) into the Linux server
Set root level permission with the command (this will allow you type commands without adding “sudo” to each command)
sudo -I
Navigate to the directory in which the NP-View Server Linux installer was placed
Use the ls command to verify file is in this directory
Run the installer with the command (Docker must be installed before this step)
Example: sh NP-View_Full_Filename.sh (example: NP-View_Server_Linux_4.0.5-add6)
The installer will begin by checking for a running instance of Docker and internet connection
If Docker is not installed and running the installer will stop and you will have to manually install the latest version of Docker before continuing
If an internet connection is available and Docker isn’t installed, the installer will automatically download and install the latest version of Docker
If an internet connection isn’t available but Docker is installed, the installer will continue offline (Most Common Scenario)
If you are installing NP-View Server on Red Hat Enterprise Linux, use the following commands to install docker:
Prompt for default directory (/opt/np-live) We recommend keeping the default directory but it can be changed if preferred
Note: If the default directory is changed, then it will need to be edited for each new release during the installation
There will be a message once the installation is complete
Launch a browser to navigate to the NP-View User InterfaceExample of transfer with WinSCP:
Load WinSCP – It should default to this screen:
Default “File Protocol:” to SFTP
Fill in Host name, User name, and Password.
Host name would be the same as your NP-View Server IP Address
User name and Password are the same as the sudo credentials you use to log into the NP-View Server terminal.
Find the NP-View Linux Server Installer file in the left window. Then in the right window from the “root” select the “tmp” folder. Once you have completed both steps then click “Upload”.
Click Ok to complete the transfer.
Option 2: Using the NP-View Virtual Appliance
Once the Virtual Appliance OVF file has been downloaded from the portal, follow the steps below to complete set up:
Extract the .zip archive (right click on folder and choose extract all)
Import OVF into hypervisor
Update CPU/Memory/Disk Space to meet requirements stated in KB in the hypervisor settings
Open README.txt from extracted folder for credentials
Launch the appliance and log into terminal using credentials in README.txt
NP-View Server shell script will guide you through updating the NP-Live password, the root password, and to reset encryption keys
Once complete the NP menu will appear indicating the server is ready to use.
Launch a browser to navigate to the NP-View User Interface
Note: A static IP may need to be configured before utilizing the user interface.
Installing a SSL Certificate
NP-View listens on both port TCP/80 (HTTP) and TCP/443 (HTTPS). For HTTPS, it uses a self-signed SSL certificate by default. Users can also provide their own SSL certificate by simply copying a valid .pem file into the NP-View db folder. If using HTTPS, the best practice is to disable HTTP or forward HTTP to HTTPS.
The following command can be used to generate a valid .pem file:
To learn more about generating your own SSL certificate, please visit python documentation.
Please note that .pem file should include both the private key and the full certificate. If you received the private key and the certificate as two or more separate files, you can concatenate them into a single .pem file.
Setting the Virtual Appliance Time Zone
By default, the Virtual Appliance install creates the file `/opt/np-live/local-settings.yml`, set to America/Chicago. This file needs to be updated to reflect your local time zone. To change to a different time zone, log into the server using SSH and become root with the command sudo -i. You can then perform the following updates.
NP-View does not automatically delete log files, the Linux system admin may wish to schedule the above commands in a periodic CRON job to maintain optimal performance.
If server upgrade or restart issues continue to occur, please reach out to the Tech Support team.
Default Disk Encryption
As the NP-View OVF is typically installed within a secure environment, the disk is not encrypted by default for data at rest. The Linux Admin can encrypt the system drive for increased security knowing that system performance will be slightly degraded to accommodate the data decryption and encryption.
Personalize the Login Page
To add a custom message to the login page, a NP-View administrator can edit the file /opt/np-live/docker-compose.yml with the following entry in the webserver environment section: “- banner=Welcome to NP-view”
For NP-View, the file ~/Documents/np-live/config.ini can be edited to add: “banner=Welcome to NP-View”
Upload File Size Limit
When users upload a file through the Web user interface, NP-View will enforce a maximum file size which is 300MB per file by default.
Backing up the NP-View Server Database
Stop the NP-View Server (you can use the script /opt/np-live/stop_nplive.sh)
From the NP-View Server folder (by default: /opt/np-live/, run the command: tar -zcf db_backup_$(date '+%Y_%m_%d').tgz db (this command may take few minutes to complete)
Run the new release installer, which will update the containers and then launch NP-View Server
Complete Removal of NP-View
If you wish to completely remove NP-View from you server to start with a fresh install, perform the following steps:
Stop NP-View using the script /opt/np-live/stop_NP-Live.sh
Remove Docker containers using the command docker system prune -a as root (WARNING: this will completely reset Docker, so if non NP-View containers have been added they will be deleted as well)
Remove the NP-View folder with the command rm -rf /opt/np-live as root (WARNING: the NP-View database will be permanently deleted)
Network mapping provides the Networking Team (Network Engineer, Network Security) with capabilities that allow users to:
Visualize an accurate topology of the network architecture
Identify and label critical cyber assets and critical network zones
Easily review which devices are protecting which network zones
Visualize Topology
NP-View can be used to discover your network topology and the underlying control plane, including layer-2 and layer-3 configurations. Without leaving the topology map, you can review many aspects of the network’s design including Firewalls, Routers, Switches, Gateways, Networks, VPNs, Hosts and more.
Critical Assets and Zones
Each asset can be tagged with categories and criticalities as well as grouped into zones making it easy to review which devices are protecting which network zones.
Organize by Levels
Zones can also be used to organize the topology map by logical levels.
Details On-demand
Selecting a node in the topology map will interactively display an information panel with detailed data about that node.
Firewall ruleset review provides Network Engineers, Network Security, and Compliance Analysts with functionality for:
Easy review of firewall access rules and object groups using the Access Rules and Object Groups reports.
Automatic identification of configuration risks using the Risks and Warnings report.
Validating recent policy modifications as part of a configuration change review process using the Change Tracking report.
How to Review Access Rules
An independent review of firewall policies has to be periodically conducted to ensure that network access rules are correctly implemented and documented. It is important because lack of access rule review leads to unexpected network access vulnerabilities.
Frequency: each time firewall policies are changed, and at least once a quarter
How to do it:
Step 1: given a workspace populated with network device configurations, open the Access Rule table from the main menu (top left)
Step 2: leverage the “Column Search” feature or the “Compare” feature to show the rules in scope of your verification
For instance, filter the “Device” column to only show rules for a specific device, or filter the “Binding (ACL)” column to only show rules bound to a specific interface, or use the “Compare” feature to only show rules added or removed recently
Step 3: review values for the source, destination, service, binding, risk, and description of each rule in scope
The “Description” column captures comment, description, or justification from the device configuration
The “Risk” and “Risk Criticality” columns are populated by NP-View during the automated risk analysis
Step 4: to identify rules that are not justified, sort the table by “Description”. Empty values will be shown at the bottom.
Step 5: to document your review process, double click on the “Comment” or “Comment Status” cells to add your own comment. The comment status can be either “Verified” or “To Review” or “To Revise”
Step 6: to save an evidence of your review process, export the table to Excel using the export options in the top right corner of the table
Access Rules Table
The Access Rules report provides the users with complete details on each Access Rule with the ability to add justifications and actions.
Object Groups
The Object Groups report provides the users with complete details on each Object Group with the ability to add justifications and actions.
Risks and Warnings
As modifications are made to the network, the Network Perception default Policies and Requirements identify potential risks. The Risks and Warnings report provides the users with a summary of the potential risks and their criticality with the ability to add actions and comments.
Change Tracking
As modifications are made to the network and the updated configuration files are imported, the changes are logged in the Change Tracking table.
Using industry best practices, Network Perception automatically identifies potential risks related to network configurations. Using the Network Perception Connectivity Path analysis, the user can review each of the highlighted risks and make a judgment on action.
Exposure of Vulnerable Assets – Vulnerability Analytics
NP-View provides your security team with a single pane of glass for reviewing network vulnerability exposure. With the addition of scanner data or data from a vulnerability data service, vulnerabilities can be tracked across your network.
Topology Display of Vulnerabilities
When scanned data has been added to a workspace, and a topology view is built that also includes that scan data, nodes on the topology of that view will be marked with a shield indicating the presence of vulnerabilities.
Firewalls, Gateways, and Hosts may contain vulnerability and service information imported from scans. Clicking on any of these nodes in a View that contains vulnerability information, will display it in the info panel that opens over the main menu.
Clicking on the Vulnerabilities link will present a pop out with the vulnerability details.
Performing a regular review of your compliance metrics is important for your organization. Performing the review manually is time consuming and tedious. Audit assistance provides the Compliance Team (Auditor, Compliance Officer, Compliance Analyst, and Consultants) with capabilities that allow users to:
Verify compliance with cybersecurity regulations and best practices through Policy Review.
Seamlessly store evidence for compliance review with Change Tracking.
Easily prepare compliance reports using the Audit Assistants listed below:
Workspace Report (Standard)
The Workspace Report assistant is available within each workspace and will generate a report for a specific view that includes detailed information about configuration files that were imported and parsed including:
Configuration assessment report including risk alerts
Ports and Interfaces
Access rules
Object groups
Path analysis
Industry Best Practice (Premium)
The Best Practice assistant requires a license to activate. This report is available within each workspace to generate a report for a specific view that includes the following topics:
Parser Warnings and potential misconfigurations
Unused Object Groups
Access Rules missing a justification
Unnamed nodes
NP Best Practice Policies on access rules and CiS Benchmarks that have identified potential risks
ACL’s with no explicit deny by default rule
NERC CIP Compliance (Premium)
The NERC CIP assistant requires a license to activate this function and guides the user through the steps required to create a report covering CIP-005 requirements. The NERC CIP audit assistant is only available within a NERC-CIP workspace and allows audit teams to classify BES cyber assets as High, Medium, and Low based on the standards. We have added a category for untrusted (Internet, Corp, etc.) to tag non BES assets. NP-View allows compliance teams to collect and report evidence related to the following requirements:
CIP-002 – BES Cyber System Categorization; impact rating and 15-month review
NP-View has the capability to send the Asset Inventory report to Elastic Search or Splunk as well as query these systems and get search results.
Configuring the Connection
Under the System Manager menu, select Notification Manager.
Select the Configure Services tab and the service to configure. Then input the connection information for that service.
Click the 'Save Service' button to save the configuration.
One configured the services will be marked with a check mark as shown above.
Enabling Asset Reports to Send
Within each workspace and view, individual asset inventory reports can be enabled to send to Elastic or Splunk. When the Asset Inventory report is opened, using the hamburger menu, select the ‘Send on Schedule’ toggle. This will enable a specific report to be sent on demand or on a schedule.
Send on Demand or Schedule
Using the topology settings menu,
The user can schedule to send the Asset Inventory report to Splunk or Elastic (but not both) on demand
or a schedule.
They can also select to send the report at any time by clicking the 'Send Now Button'.
Sending a Query to a SIEM
The user can send a structured query to Splunk or Elastic Search using the 'Query Services' panel under the System menu.
Clicking 'Launch Query Services' will open a query panel in a new tab where the user can select to submit a query to Splunk or Elastic Search.
The query results will be delivered to the results panel.
NP-View has a powerful (actually magical) search capability available in the upper left corner. This section describes some of the frequently used searches. Items in “quotes” are search terms, items in [] are device or other configuration parameters.
UX Controls
Function
Example
“help” or “support”
Show the Support center
“hotkey(s)”
Show the Shortcut keys
“import”
Show the Import data panel
“log(s)”
Show System Log
“task(s)”
Show Background tasks
“change(s)”
Show Track changes
“clear”
Clear selections and highlights
Analysis Tools
Function
Example
“object(s)”; then select device to view
Show the Object groups for selected device
“rule(s)”; then select device to view
Show the Access rules for selected device
“asset(s)” or “inventory”
Show the Asset inventory
“path” or “connectivity” or “flow”
Show the Connectivity paths for the selection
“path” or “connectivity” or “flow” + [device]
Show the Connectivity paths with paths that pass through or include [device]
“object” or “rule” or “asset” or “flow” + string
Search in the corresponding table for the string
“network access overview” (aka highlight paths)
Show the network access overview
“service” or “port” or “network access overview” + [service/port]
Show paths that use [service/port]
“path(s)” from [device/#] to [device/#]
Show paths between, to, or from devices
[string]
Search for string in configuration files
Device Info
Function
Example
[zone]
Select a zone
[device]
Select a device
“ruleset(s)” + [device]
Show a device’s native ruleset (configuration) file
Performing a regular review of your compliance metrics is important for your organization. Performing the review manually is time consuming and tedious. Audit assistance provides the Compliance Team (Auditor, Compliance Officer, Compliance Analyst, and Consultants) with capabilities that allow users to:
Verify compliance with cybersecurity regulations and best practices through Policy Review.
Seamlessly store evidence for compliance review with Change Tracking.
Easily prepare compliance reports using the Audit Assistants listed below:
Workspace Report
The Workspace Report assistant is available within each workspace and will generate a report for a specific view that includes detailed information about configuration files that were imported and parsed including:
Configuration assessment report including risk alerts and warnings.
Device Information (Routes, Interfaces, and NAT Rules)
Access rules
Object groups
Connectivity paths
Industry Best Practice
Your license key will determine if The Best Practice assistant is available. This report is available within each workspace to generate a report for a specific view that includes the following topics:
Parser Warnings and potential misconfigurations
Unused Object Groups
Access Rules missing a justification
Unnamed nodes
NP Best Practice Policies on Access Rules and CiS Benchmarks that have identified potential risks
Topology summary and connectivity
NERC CIP Compliance
Your license key will determine if the NERC CIP assistant feature is activate. The NERC CIP assistant guides the user through the steps required to create a report covering CIP-005 requirements. The NERC CIP audit assistant is only available within a NERC-CIP workspace and allows audit teams to classify BES cyber assets as High, Medium, and Low based on the standards. We have added a category for untrusted (Internet, Corp, etc.) to tag non BES assets. NP-View allows compliance teams to collect and report evidence related to the following requirements:
CIP-002 – BES Cyber System Categorization; impact rating and 15-month review
NP-View can import auxiliary data from third party systems to enrich and augment analysis. The data files listed below are supported and can be manually imported using drag and drop or through a shared network drive connector. We recommend importing configuration files first or at the same time as the auxiliary data files or a system error may occur. If auxiliary data is input after configuration files are processed, the auxiliary data will need to be added to a new or existing custom view(s) to be displayed
Host Files
Hosts can be identified from multiple sources including configuration files, network scan files, ARP tables, and hostname files. Once network device configuration files have been imported, one can import additional files to add metadata to the workspace. A hostname file is a simple text file with two columns: IP address and hostname separate by a tab.
Aux Data Loading Example
Note: This example applies to the loading of any Aux data file but is specific to creating and loading a host file.
First, load a firewall into a workspace and create a custom view with the firewall.
Notice that four hosts are not named. To fix this, create a host file, named hosts.txt, to enrich the information.
The host file will add a name tied to each of the hosts and also includes hosts not currently displayed.
Let's use 172.30.90.50 Alice 172.30.90.51 Bob 172.30.90.42 Wendy 172.30.91.80 Sam 172.30.91.81 Carl Note: Make sure any hosts added to the file do not conflict with firewall interfaces or they will be merged into the firewall.
Save the host file, and import it into the workspace.
The Manage Views function displaying a user adding both devices and multiple Auxiliary data files to a single view.
Once processed, proceed to the “Manage Views” menu and select a new or existing view to add Auxiliary data to.
Below the Select Devices box, is the Auxiliary Data box.
Choose any of the Auxiliary Data files you've added previously. (This image is not reflective of the example but to illustrate that users may select several Aux files).
For our example a user would see a single file called hosts.txt that would contain the names we've added.
Once the the view is created the updated assets will be displayed on the topology and in the Asset Inventory (on the main menu).
The view, seen here regenerated. Note the new hostnames applied to the endpoints.
To see how the previous example can be used as a repeatable process let's update those names again, with corrections.
First, update the Host file again. In this scenario, we rename “Carl” to “Carly” and “Sam” to “Sammy”. The updated file is as follows:
172.30.90.50 Alice 172.30.90.51 Bob 172.30.90.42 Wendy 172.30.91.80 Sammy 172.30.91.81 Carly
Load the file into the workspace and the custom views where auxiliary data has been applied. This will update the workspace.
The workspace, updated a second time
Note: Host data can come from multiple sources, also hosts can appear and disappear from the network. Host data is treated as replacement data for adding and deleting hosts over time.
Note: If for some reason a device has multiple names retrieved from multiple different file types, the additional names will be displayed in the Alias column of the Asset Inventory.
Network and Vulnerability Scanner Files
The output from network and vulnerability scanners can be imported into a workspace to add CVE information, hosts, attributes, and port information to the topology map. We support version 1.0 <?xml version=”1.0″ ?> of the below scanners:
When exporting the report, it should be saved using the XML format to properly import into NP-View. The data extracted and imported depends on the scanner used and the data available on the network. Below is a list of data NP-View attempts to import.
hostnames
addresses
interfaces
local interface IP’s
local interface names
mac
domains
parent
operating systems
vlan
Multi-Home Host Files
Multi-Home hosts are endpoints that have multiple network interfaces. If NP-View identifies hosts with multiple interfaces, the host will be duplicated on the topology with each IP address. For example, the host called 'dual-homed' can be seen three times on the map below.
The host named 'dual-homed' repeated 3 times on the map
To resolve this, a 'multi_home_host.txt' file can be manually generated and loaded into NP-View as auxiliary data.
The file must be named 'multi_home_host.txt' and be of the following format:
192.168.135.115 dual-homed
192.168.135.114 dual-homed
192.168.135.113 dual-homed
Where the first field is the IP address and the second field is the name of the host.
When importing the 'multi_home_host.txt' and adding it to a view, the hosts will be connected as follows:
The hosts named 'dual-homed' have been consolidated
Note: The file can be named as *_multi_home_host.txt -where-*_ is anything preceding multi_home_host.txt.
For example:
tuesday_multi_home_host.txt
web_server_multi_home_host.txt
the_big_kahuna_multi_home_host.txt
Address Resolution Protocol (ARP)
ARP files can be used to add hosts as well as MAC addresses for the hosts.
Cisco ASA
Use 'show arp' to export the ARP table. The file format will be as follows:
<hostname># show arp
outside 10.0.0.100 d867.da11.00c1 2
inside 192.168.1.10 000c.295b.5aa2 21
inside 192.168.1.12 000c.2933.561c 36
inside 192.168.1.14 000c.2ee0.2b81 97
Cisco ASA Example
Using the data set from the Hosts example, a simple ARP table has been created in the Cisco format.
Distribution# show arp
inside 172.30.90.50 d867.da11.00c1 2
inside 172.30.90.51 000c.295b.5aa2 21
inside 172.30.90.42 000c.2933.561c 36
inside 172.30.91.80 000c.2ee0.2b81 97
inside 172.30.91.81 000c.2ecc.2b82 95
Distribution#
Loading this data into NP-View will add the MAC addresses to each host which is visible in Asset inventory.
Cisco IOS
Use 'show ip arp' to export the ARP table. The file format will be as follows:
<hostname># show ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.1.1 12 00a1.b2c3.d4e5 ARPA GigabitEthernet0/1
Internet 192.168.1.2 5 0011.2233.4455 ARPA GigabitEthernet0/1
Internet 10.0.0.1 - 00bb.ccdd.eeff ARPA GigabitEthernet0/2
Internet 172.16.0.1 3 001e.abcd.1234 ARPA GigabitEthernet0/3
Windows
Use 'arp -a > arp_table.txt' to export the ARP table. The file format will be:
Interface: 192.168.86.29 --- 0x6
Internet Address Physical Address Type
192.168.86.1 88-3d-24-76-49-f2 dynamic
192.168.86.25 50-dc-e7-4b-13-40 dynamic
192.168.86.31 1c-fe-2b-30-78-e5 dynamic
192.168.86.33 8c-04-ba-8c-dc-4d dynamic
Linux
Use arp -a > arp_table.txt to export the ARP table. The file format will be:
? (172.18.0.3) at 02:42:ac:12:00:03 [ether] on br-d497989bc64d
? (192.168.135.200) at 00:0c:29:f6:47:bb [ether] on ens160
? (172.17.0.2) at <incomplete> on docker0
? (192.168.135.178) at 00:0c:29:f3:e2:6b [ether] on ens160
Palo Alto
Use 'show arp all' to export the ARP table. The file format will be:
GigabitEthernet0/0 outside 0 up up 10.1.1.1 255.255.255.0
GigabitEthernet0/1 inside 1 up up 192.168.1.1 255.255.255.0
Management0/0 lan 0 up up 10.0.0.1 255.255.255.0
Cisco ISO
Use 'show ip interface brief' to export the interface table
<device># show interface ip brief
Interface IP Address OK? Method Status Protocol
GigabitEthernet0/0 192.168.1.1 YES manual up up
GigabitEthernet0/1 10.1.1.1 YES manual up up
GigabitEthernet0/2 unassigned YES unset administratively down down
Management0/0 192.168.100.1 YES manual up up
Note that interface tables must be loaded at the same time as the configuration file.
MAC Address Tables
MAC address tables can be used to add MAC addresses to NP-View.
Cisco ASA
Use 'show mac address-table' to export the mac address table
!--- Cisco ASA Show MAC Address Table Output ---!
Protocol Address Interface
----------------------------------------
Dynamic 000c.292b.a123 GigabitEthernet0/0
Dynamic 0012.3456.7890 GigabitEthernet0/1
Dynamic 000a.bbbb.cccc VLAN1
!--- End of MAC Address Table ---!
Cisco IOS
Use 'show mac address-table' to export the mac address table
<device># show mac address-table
Mac Address Table
------------------------------------------
Vlan Mac Address Type Ports
----- ----------- -------- -----
1 000a.b7dc.b799 DYNAMIC Gi0/2
1 000c.2979.60af DYNAMIC Gi0/1
1 0012.3456.789a DYNAMIC Gi0/3
1 0012.3456.789b STATIC Gi0/4
Total Mac Addresses for this criterion: 4
PCAP for Topology Enrichment
In V6.0, support for PCAP and PCAPng files was added to enrich the topology map. NP-View will add endpoints with IP's, MAC addresses and services to the topology map within a custom view. The max PCAP size is 300 MB per file but multiple PCAP files can be added to a workspace and view. Note that the combined file upload limit is <=300 MB so each file will need to be added individually. Like other aux data, PCAP files must accompany one or more primary devices (Firewall, Router or Switch) so the endpoints have subnets to be connected to.
To split a PCAP file into multiple smaller PCAP files for ingestion, use a tool such as Wireshark editcap. Editcap is a command-line tool included with Wireshark that allows splitting pcap files.
-c <number_of_packets>: Splits after the specified number of packets.
input.pcap: Original pcap file.
output_prefix: Prefix for the output files (e.g., output_).
Example:
editcap -c 598000 capture.pcap split_capture
This creates files like split_capture_00000, split_capture_00001, etc. The file extension should remain .pcap or .pcapng and may need to be manually changed.
Our testing has shown that ~598000 packets will fall slightly under the 300MB limit.
PCAP only Views
In V6.1, we added the capability for a view to be created using only a PCAP file.
Data Setup
NP-View can ingest a PCAP as an auxiliary data file for use with a Layer 3 view or as a config file for use as a PCAP only view.
To help NP-View understand the user’s intentions, the file name will be used to delineate between auxiliary data and a config file.
If the file is to be used as auxiliary data, the file can be named almost anything with a .pcap or .pcapng extension. For example.
Lab_pcap-internal-90mb.pcapng
Lab_pcap-internal-90mb.pcap
If the file is to be used as a config file, ‘_config’ must be added to the file name, for example:
Lab_pcap-internal-90mb_config.pcapng
Lab_pcap-internal-90mb_config.pcap
When importing PCAP files, one or more PCAP files of either aux or config designation can be loaded into a workspace at onetime. Given the upload file limitations, they may need to be uploaded separately.
Note that for NP-View to treat a PCAP ‘_config’ as a device, NP-View will create a fictitious switch for each imported PCAP file which will appear on the home view and in subsequent views, even though it may not have any connections.
View Creation
When creating a view with just a PCAP, the PCAP file loaded as ‘_config’ will be selected.
All other devices will be disabled when ‘_config’ is selected including all aux data files.
If the user selects a device first, the PCAP ‘_config’ selection will be disabled.
Once the view is created, only the switch may be visible. This is because the PCAP file is treated as Layer 2 data and the ‘Show ayer 2 Connections’ needs to be enabled under topology settings.
Resulting in displaying the PCAP data.
Each endpoint will display the MAC address, device alias, IP address if available and associated services in the info panel.
Note that annotations are available on the Layer 2 map, but asset verification is not as there is only one data source.
Manually Downloading Auxiliary Data from Cisco Devices
To manually collect auxiliary data from Cisco devices, use the following commands and file naming conventions.
Cisco ASA
show running-config → 'devicename'_'contextname'.txt
show arp → 'devicename'_'contextname'_arp_table.txt
show route → 'devicename'_'contextname'_route_table.txt
show interface → 'devicename'_'contextname' interface_table.txt
show mac address-table → 'devicename''contextname'_mac_table.txt
Cisco IOS/NX-OS
show running-config → 'devicename'.txt
show ip arp → 'devicename'_arp_table.txt
show ip interface brief → 'devicename'_interface_table.txt
show mac address-table → 'devicename'_mac_table.txt
Once all of the files are collected, manually load the files from each device together and separately from other devices for proper file association.
Configuration, interface and route files will be processed together. Configuration files can be loaded with or without route and interface tables.
ARP and MAC files will be displayed as Auxiliary data when creating a view and can be selectively added.
NP-View is a CPU and Memory intensive application. At times, NP-View may appear to slow down and the UI may become unresponsive.
The most common issue being insufficient sizing of the desktop or server. Please validate the proper sizing of your system by clicking the links to the left.
Additional causes are listed below:
Low Disk Space - If the system runs out of available disk space, this will limit the ability of NP-View to process and store data. To resolve this issue, the user can perform a disk cleanup or add additional disk resources.
Insufficient CPU - NP-View is a CPU intensive application, if the processing requested exceeds the available resources, the system usability will slow. In some cases, NP-View is put into a virtual environment where the allocated resources are not available on the hardware and the system slows. In some other cases, if connectors are running at the same time users are navigating the topology, the resources will be consumed by data processing and the system may appear slow.
Insufficient RAM - NP-View is a Memory intensive application, if the NP-View database exceeds the size of the available memory, the system usability may appear slow. NP-View utilizes a NoSQL in-memory database for performance. However, because the database is loaded into memory, if there is insufficient RAM on the system the database will become degraded or not run at all
End user available memory - If the end user has an older PC with 8 gig of ram or less, the system may appear slow running on that PC.
Excessive browser tabs - If the user has a large number of browser tabs open which consume a lot of memory, the system may appear slow on that PC.
Large configuration files - If multiple configuration files are loaded into a workspace or view and each config has thousand rules, objects or endpoints, the rendering and moving of topology objects may appear to slow.
Saving large views - Large views with a high number of endpoints may take a long time to save.
Please report any performance issues to technical support so they can be investigated.
.svg)
