Link Search Menu Expand Document

Scan Methods

The Discovery Scans page lets you launch network scans to find devices. Click New Discovery to open the scan form, which has four tabs.

1. Subnet Scan (Ping Sweep)

Sends ICMP echo requests to every host in a network range to find live devices. This is the fastest and broadest scan method — use it for general device discovery.

Options

Field Description Default
Network Range Target in CIDR notation (e.g. 192.168.1.0/24) or range format (e.g. 10.0.0.1-10.0.0.50) (required)
Scan Intensity Controls how many hosts are scanned in parallel Medium
Timeout (ms) How long to wait for each host to respond, in milliseconds. Range: 100–30000 1000
OS Fingerprinting When enabled, uses ICMP TTL values to guess the operating system family On

Intensity Levels

Level Concurrent Hosts Use Case
Low (Silent) 5 Minimal network noise; use on sensitive networks
Medium (Standard) 20 Balanced speed and gentleness
High (Aggressive) 100 Fastest scan; may trigger IDS/IPS alerts

OS Fingerprinting (TTL Analysis)

When enabled, the scanner examines the TTL value of ping responses to estimate the OS:

TTL Range Detected OS
≤ 64 Linux / Unix
65–128 Windows
> 128 Network Device

Notes

  • Ping sweep only finds devices that respond to ICMP echo. Devices with ICMP disabled (firewalled) will not appear.
  • On macOS, the ping -W flag takes milliseconds; on Linux it takes seconds. The scanner handles this automatically.

2. Active Directory (LDAP)

Queries an Active Directory Domain Controller via LDAP to enumerate computer objects. Useful for discovering domain-joined Windows machines that may not appear on the network scans.

Options

Field Description Default
Domain Controller IP/Hostname IP or FQDN of the AD domain controller (e.g. dc01.corp.local) (required)
Target OU Specific Organizational Unit to search (e.g. OU=Servers,DC=corp,DC=local). Leave empty to search the entire domain (empty — full domain)
Username AD username with read access (e.g. DOMAIN\admin) (optional)
Password Password for the AD account (optional)
Recursive Discovery When enabled, searches sub-OUs within the target OU On

What It Discovers

For each computer object found, the scanner reads:

  • cn (Common Name)
  • dNSHostName (FQDN)
  • operatingSystem and operatingSystemVersion
  • whenCreated, lastLogonTimestamp
  • distinguishedName

3. Single IP

Deep inspection of a single device. The scanner is selected based on the anticipated device type.

Options

Field Description Default
Device IP Address The IP address to inspect (e.g. 192.168.1.155) (required)
Anticipated Type What kind of device you expect — determines which scanner runs (required)
Username Authentication credentials for the target device (optional)
Password Password for the target device (optional)

Anticipated Types

Type Scanner Used What It Does
Windows Host (WMI) WMI Scanner Connects via WinRM and queries WMI classes (Win32_OperatingSystem, Win32_ComputerSystem, Win32_NetworkAdapterConfiguration) for detailed system info
Linux Host (SSH) SSH Scanner Connects via SSH and runs commands (hostname, uname, cat /etc/os-release, uptime, CPU/memory info) to gather system details
Network Device SSH Scanner SSH into switches/routers to gather device info
Web Resource Port Scanner TCP connect scan on common ports to discover open services

Requirements

  • WMI Scanner: Requires pywinrm package and WinRM enabled on the target Windows host
  • SSH Scanner: Requires paramiko package and SSH access to the target

4. SNMP

Queries devices via SNMP (Simple Network Management Protocol) to discover network equipment like routers, switches, and managed devices.

Options

Field Description Default
IP Range / Subnet Target in CIDR notation (e.g. 172.16.0.0/16) (required)
SNMP Version Protocol version to use Version 2c
Community String The SNMP community string (acts as a password) public
Use SNMP BULK-GET Use GETBULK requests instead of GET — more efficient for large MIB walks Off

SNMP Versions

Version Description
Version 1 Original SNMP. No encryption, community-based authentication. Very basic.
Version 2c Most commonly used. Community-based auth, supports GETBULK operations for faster queries. No encryption.
Version 3 Adds authentication and encryption (USM). Required in security-conscious environments. Enter SNMPv3 credentials in the Community String field.

What It Discovers

The scanner queries two OIDs on each host:

  • sysDescr (1.3.6.1.2.1.1.1.0) — System description (hardware/software info)
  • sysName (1.3.6.1.2.1.1.5.0) — System hostname

Devices that respond are classified as network_device type.

Important Notes

  • SNMP must be enabled on the target device. Most consumer routers and devices ship with SNMP disabled. You need to enable it in the device’s admin interface.
  • The community string must match what is configured on the device. If public doesn’t work, check the device’s SNMP settings.
  • Maximum 1024 hosts per scan to prevent runaway scans.
  • Hosts are scanned concurrently (20 at a time for medium intensity), so a /24 subnet completes in about 1 minute.

When to Use SNMP vs. Ping Sweep

Use Case Recommended Method
Find all live devices on a subnet Ping Sweep (Subnet tab)
Discover managed network equipment (routers, switches) SNMP
Get detailed device info (sysDescr, sysName) SNMP
Devices don’t respond to ping Try SNMP or Port Scan

Scan Lifecycle

All scans go through these states:

pending → running → completed
                  → failed
                  → cancelled

Scan Page Actions

Action Description
New Discovery Opens the scan form modal
Refresh Re-fetches the scan list
Clear History Deletes all completed, failed, and cancelled scans
View Opens the scan detail page with live progress
Cancel Cancels a running or pending scan
Delete Removes a completed/failed/cancelled scan record

Live Progress

Click on a scan to open its detail page. Active scans show real-time progress via WebSocket updates, including:

  • Progress percentage
  • Items discovered as they are found
  • Completion or failure status