To Do:
1) Move the route tracking to using real objects instead of a matrix
2) Change to file-based configuration
3) Support live capture
4) Periodic snapshots, garbage collection for external hosts and routes on the same interval
5) Support whitelisting of gateway MAC addresses, separate event ID for rogue gateway.
6) Support syslog as well as pre-defined log file
7) Timestamps in log messages
8) Define licensing, ensure credit is given where it is due.
9) Daemonize
10) Support SIGx to force XML dump
11) Support SIGy to force debug level change
12) ARP support
13) VLAN support
14) Track routes to nodes within enterprise, but outside of 
    protected subnet, separately from 'outside' nodes.  This
    will help with garbage collection, and having minimal
    performance impact after such an event.
15) Sanity check for subnet input
16) Eventually, get away from tracking subnets altogether and use ARP inside VLANs to determine what hosts are 'protected' and distant.  We can glean some inspiration from Kismet if we want to take a stab at guessing subnets.

gwdetect.py
MUST RUN IN SUDO
Tested against Python 2.7.2
2.6.6 can throw errors.

This tool is designed to observe network behavior
and generate log events for anomalies.

Currently, only pcap processing is supported, with live network monitoring coming someday


This is what it does now:
From a pcap file
    Creates a list of observed gateways, hosts, 1:1 routes

Usage:
sudo python ./gwdetect.py -f ../gwdetect-pcap/twogateway.pcap -s 10.0.100.0 -C ../circos.out -l ../gwdetect.out

This product includes software developed by CORE Security Technologies (http://www.coresecurity.com/)."