Network activity analysis specialist eTelemetry has added the ability to detect rogue access points to its Locate appliance, which can link devices and people to their IP and MAC addresses.

Locate was originally designed to help network staff identify the user or device linked to an IP address, for example when they're notified of a problem emanating from that IP. Now it can also send an alert when a new device, user or IP pops up on the network, the company said.

"The new features enhance the endpoint visibility provided by Locate, giving IT departments a greater level of threat detection and network awareness," said Ermis Sfakiyanudis, eTelemetry's president and CEO.

The device takes data from three sources: the switches, the corporate directory and the network traffic.

To do this, it needs a span or mirror port that can see Active Directory, LDAP or Exchange traffic - and if there's multiple authentication points, it needs a collection node at each one. It uses SNMP to 'crawl' the selected switches and identify which devices are attached to which ports, and it sniffs the network for authentication and messaging traffic that contains information identifying the person involved.

It then correlates this data with the directory, enabling it to tie an IP address to the relevant user's contact details in the corporate address book. Among other things, this allows admins to disable a user's network access by name, and can help organisations audit and track users' network activity.

As well as warning of possible rogue APs, the additional reporting capabilities in this latest version - Locate 4.1 - can be used to notify when people or devices move elsewhere on the network, eTelemetry said. The appliance can also use SNMP traps to send those alerts to a network management system.