To be usable Discovery and Scan phases must be populated with scan methods.
Not any method runs on any phase, basically because some methods have no meaning for some phases.
As an example, "Find DHCP Servers", is by nature a discovery method and has no meaning for scanning. Further more,
this method has no connection with provided IP address space having no dependency of the previously discovered hosts.
Because not all methods runs on all phases the following table may be usefull:
| Scan Method |
Discovery Phase |
Scan Phase |
MAC Discovery Phase |
Working Type |
Short description |
| IP level | |||||
| IGMP | X | - | - | one packet | Finds the IPv4 enabled hosts that are members in a multicast group, other then the default. |
| IPv4 related scan methods | |||||
| ARP | - | - | X | parallel |
Finds the correspondence between IPv4 addresses and link-layer addresses. (MAC in the case of Ethernet) |
| ICMP - Ping sweep | X | X | - | parallel | Finds the IPv4 hosts that responds to ICMP Echo Requests |
| DNS | why not ? | X | - | parallel | Find DNS name for IPv4 addresses |
| TCP SYN | X | X | - | parallel | SYN scan |
| TCP FIN | X | X | - | parallel | FIN scan |
| TCP NULL | X | X | - | parallel | NULL scan |
| TCP XMAS | X | X | - | parallel | XMAS scan |
| TCP ACK | X | X | - | parallel | ACK scan |
| TCP Connect | n.i. | n.i. | - | n.i. | not implemented |
| UDP Send | X | X | - | parallel | Scan for open UDP ports |
| IP Protocols | X | X | - | parallel | Finds the IP protocols enabled on a host |
| NetBIOS | X | X | - | serial | Finds the NetBIOS informations from selected hosts. |
| Wake On LAN | X | - | - | parallel | Turn on WOL enabled hosts. |
| SNMP | - | X | - | serial | Gathers some basic SNMP informations. |
| Find DHCP Servers | X | - | - | one packet | Finds the DHCP servers from the local network. |
| Find Promiscuous Nodes | X | - | - | parallel |
Find the hosts that have the Ethernet network cards in promiscuous mode. Generally this indicates the existence of a sniffer on that host. |
| Ping Broadcast | X | - | - | one packet | Finds the IPv4 enabled hosts that responds to a "ping broadcast" packet |
| IPv6 related scan methods | |||||
| Neighbor Discovery | - | - | X | parallel |
Finds the correspondence between IPv6 addresses and the link-layer addresses. (MAC in the case of Ethernet) |
| IPv6 Ping Broadcast | X | - | - | one packet | Finds the IPv6 enabled hosts that responds to a "ping broadcast" packet |
| IPv6 Multicast Listener Discovery | X | - | - | one packet |
IPv6 routers are using this protocol to discover the presence of multicast listeners on their directly attached links |
| IPv6 ICMP Ping Sweep | X | X | - | parallel | Finds the IPv6 hosts that responds to ICMPv6 Echo Requests |
| IPv6 TCP SYN | X | X | - | parallel | SYN scan |
| IPv6 TCP FIN | X | X | - | parallel | FIN scan |
| IPv6 TCP NULL | X | X | - | parallel | NULL scan |
| IPv6 TCP XMAS | X | X | - | parallel | XMAS scan |
| IPv6 TCP ACK | X | X | - | parallel | ACK scan |
| IPv6 UDP Send | X | X | - | parallel | Scan for open UDP ports |
| IPv6 Protocols | X | X | - | parallel | Finds the IPv6 protocols enabled on a host |
| Higher level | |||||
| Windows Management Instrumentation | - | X | - | serial | Windows Management Instrumentation (WMI) is the Microsoft implementation of WBEM, an industry initiative to establish standards for accessing and sharing management information over an enterprise network. |
| Shutdown or Reboot | - | X | - | serial | Shutdown or reboot a Windows (starting from NT) host. |
Why a method is running or not in a phase is presented in the corresponding section.
[ User Guide ]