A.2 How PlateSpin Recon Collects Data

PlateSpin Recon has three sequential stages to its data collection.

A.2.1 Discovery

Domain Discovery: PlateSpin Recon uses Windows Active Directory* via LDAP to scan the network for a list of the machines on the specified domain. By default, this includes only online machines, but there is an option to include offline machines as well.

An Organizational Unit (OU) filter can also be specified, narrowing the area of the domain that PlateSpin Recon will poll during discovery. An Organization Unit is a container within a domain where computers can reside for segmentation. For example, if your domain has OU containers setup for each department, you can tell PlateSpin Recon to just look for machines within a specific department within the domain.

PlateSpin Recon only uses OU filters during discovery. Machines discovered in this way are unaffected during inventory and monitoring should machines be moved out of their previous OU containers. For more information on Organization Units and if they are in use in your domains, check with your System Administrator.

Subnet, IP Range Scan: For each machine in the subnet or IP range, PlateSpin Recon pings the machine. If it replies, it is considered a discovered machine.

Another option is to port scan through TCP, UDP or both. PlateSpin Recon tries to connect to ports and records which ports are being used. This option must be used with caution because network security might consider this an attack.

A.2.2 Inventory

Linux, Solaris and ESX 2.x

  • PlateSpin Recon sends the getplatform script, which returns the architecture and glibc version of the machine being inventoried.

  • Based on getplatform, PlateSpin Recon uses the SCP protocol to transfer a platform-specific inventory binary and libraries to the /tmp directory of the machine being inventoried.

  • Over ssh, PlateSpin Recon executes the binary, streaming the command file over stdin.

  • Logs and progress files are streamed back from the inventoried machine to the PlateSpin Recon Server using stderr while the machine XML is streamed over stdout.

ESX 3.x and Virtual Center

  • PlateSpin Recon runs the executable locally on the PlateSpin Recon Server.

  • The executable accesses ESX 3 or Virtual Center Web services, which provide the necessary inventory data.

ESX 4.x and Virtual Center

  • PlateSpin Recon runs the executable locally on the PlateSpin Recon Server.

  • The executable accesses ESX 4 or Virtual Center Web services, which provide the necessary inventory data.

Microsoft Windows Inventory

  • PlateSpin Recon copies an executable onto the machine being inventoried to the a directory within ADMIN$ and C$. PlateSpin Recon runs the executable through WMI or a remote service. If you are inventorying a Windows NT* machine, it is important to make sure that WMI is installed. By default PlateSpin Recon uses WMI, but it is possible to configure it to use the remote service by using the configuration options in the Tools Menu.

A.2.3 Monitoring

Linux, Solaris and ESX 2.x

  • PlateSpin Recon sends a script (lininfo.sh, solinfo.sh, or esxinfo.sh) to the machine being inventoried.

  • The script is run through ssh.

  • The ssh server must be enabled for monitoring to function.

  • Logs are streamed back to the PlateSpin Recon Server over stderr.

  • Performance data is streamed back over stdout.

ESX 3.x and Virtual Center

  • PlateSpin Recon calls ESX 3 or Virtual Center Web services, which provide the necessary performance data.

ESX 4.x and Virtual Center

  • PlateSpin Recon calls ESX 4 or Virtual Center Web services, which provide the necessary performance data.

Microsoft Windows

  • PlateSpin Recon uses the Windows Performance Counter API to retrieve performance data. It does not use WMI.

  • The RemoteRegistry Service must be enabled for Windows monitoring to function.