A discovery scan finds, identifies, and builds an inventory of all the connected devices and assets on your internal network. Running a discovery scan routinely will help you keep track of and know exactly what is on your network.
Discovery scans are configured by site, Explorer, and scope. In order to run a scan against a specific site, an Explorer must be activated and either assigned to that site or configured for all sites.
When creating a new scan, you have multiple parameters you can set, ranging from scheduling a date to more advanced options. To launch a discovery scan, browse to the Inventory page, click the Scan menu in the upper right, and select Standard Scan.
Site
runZero organizes information into organizations and sites. Organizations are distinct entities that are useful for keeping data separate and contain a collection of sites. Sites are used to model segmented networks, particularly independent networks which use the same private IP address ranges.
For example, you might have multiple physical locations with their own local networks, all using the 10.0.0.0/8 private IP range. By defining them as sites, you can set up an Explorer for each, and the networks and assets will be treated as completely independent even if similar systems are seen at the same IP addresses in each.
Since scan analysis occurs at the site level, the boundaries you define for a site set the default scope for scans for that site.
Explorer
Select the Explorer to run the scan from, chosen from the set of registered Explorers for the site. The Explorer you choose must be able to directly communicate with the networks and addresses you define for the discovery scope.
The chosen Explorer should ideally be able to reach all addresses in the scope directly, without a firewall in the way. Stateful firewalls and VPN gateways may interfere with the discovery process.
Hosted zone
Enterprise
runZero Enterprise users can perform scans of public IP space using runZero-hosted scanners. When creating a scan, set the Explorer to None and choose a hosted zone from which to scan. When using this option, the discovery scope must use public IP addresses or ranges, or resolve to public IP space.
Discovery scope
The discovery scope defines the IP ranges that will be scanned. The scope uses the site settings when specified as they keyword “defaults”, but may be changed on a per scan basis as well. The scope should include at least one IP address or hostname. IP address ranges can be specified in most standard formats:
10.0.0.110.0.0.0/2410.0.0.0/255.255.255.010.0.0.1-10.0.0.255
Hostnames specified in the scope will be resolved at runtime by the assigned Explorer. If the hostname returns multiple
IP addresses, all addresses in the response will be scanned. Hostnames can also have masks applied, indicating that the
mask should expand to each resolved address of the hostname. For example, if example.com resolves to both
1.2.3.4 and 5.6.7.8, the input of example.com/24 would become 1.2.3.0/24 and 5.6.7.0/24. IPv6 addresses returned
from hostname resolution will be scanned if the Explorer has a valid IPv6 address and route to the target.
Note that the Explorer scans addresses in random order. Subnets are scanned in a random order, and within each subnet the IP addresses are also scanned in a random order. This is done to avoid concentrating traffic in particular parts of the network.
Discovery keywords
The following keywords are supported for both scan scopes and exclusions.
-
asn4: The asn4:<AS number> keyword can be used to specify IPv4 ranges associated with a given AS number.
-
country4: The country4:<ISO code> keyword can be used to specify IPv4 ranges associated with a given two-character country code.
-
public and private: The public:<mode> and private:<mode> keywords can be used to specify IPv4 and IPv6 addresses associated with assets in the current organization. The mode parameter can be set to all, primary, or secondary to indicate which IP addresses are used. The public keyword selects all non-reserved IP addresses associated with organization assets. The private keyword selects all RFC-1918 and private use IP addresses associated with organization assets.
-
domain: The domain:<domain> keyword is available to cloud-hosted users with a Professional or Enterprise license and uses the syntax domain:<domain name> to automatically select publicly-known hostnames for a given domain name.
Scan name
You can assign a name to your Scan task to make it easier to keep track of.
Scan speed
Specify the maximum packet rate for the overall discovery process, in network packets per second. 500 is conservative, 3000 works for most LANs including WiFi, 10000 or more may be helpful for large sites with fast connectivity.
The scan speed directly affects how long the scan will take to complete. An approximate formula is:
time in seconds = hosts × ports × attempts ÷ scan speed
The number of hosts scanned is primarily determined by the discovery scope. The number of ports is around 500 by default, and three attempts are made to connect.
The number of hosts and ports scanned can be affected by the advanced scan options, and speed can also be impacted by maximum host rate and group size; see the descriptions of the advanced scan options below.
Note also that this formula doesn’t take into account time taken to take screenshots, follow web server redirects, or process the scan data.
Schedule
You can set a date and frequency for your scan task. Dates and times take into account your browser’s advertised timezone.
Scans scheduled to start in the past will be launched immediately and then repeated at the specified time based at the frequency selected.
Scheduling grace period
Specify the number of hours to wait for an available Explorer before giving up on this scan. A zero or negative value will result in the scan retrying indefinitely until an Explorer becomes available.
Advanced scan options
The Advanced tab can be used to display and modify additional scan settings, such as network exclusions, scan speed, the ports covered by the TCP scan, and which probes are enabled. The default settings should work for most organizations but may need to be tweaked for slow networks or unreliable links.
Maximum host rate
As well as setting an overall scan rate in packets per second, you can also control the maximum rate at which packets are sent to any single host IP address. This is useful when you have devices which are easily overloaded by network traffic. The default should be safe for most systems.
Max group size
When runZero scans your network, it spreads the scan load across many IP addresses at once. The max group size determines how many IP addresses can be actively scanned at once – allowing for the fact that hosts may take some time to respond to probes. The max group size needs to be at least as large as the overall scan speed, or else it would limit the speed of the scan to below the set value. If you provide a value that’s lower than the overall scan speed, it will be increased automatically at scan time.
The max group size is mostly useful when dealing with stateful network devices that can only track a limited number of connections at once, as a way to restrict how many active TCP sessions will result from a runZero scan.
Max TTL
The IP standards define a maximum hop count for packets. In IPv4, this is called the Time To Live or TTL, while on IPv6 this is called the Hop Limit. Every device processing a packet must decrease the TTL or Hop Limit one. If this value reaches zero, the route receiving the packet must discard the packet. This setting can be used to set the maximum hop limit for scan traffic.
ToS
The IP standards define a Type of Service or ToS for packets. In IPv4, this is called the Type of Service or ToS, while on IPv6 this is called the Traffic Class or TC. The ToS or Traffic Class is used by switches and routers to prioritize network traffic. The lower bits of the IPv4 ToS are also used for congestion controller. This setting can be used to set the ToS or Traffic Class for scan traffic. Please note that the ToS/Traffic Class settings do not apply to all traffic sent by runZero, but instead are limited to the basic discovery probes. Some protocols, such as SNMP, and integrations, such as VMware, do not set the ToS/Traffic Class fields on their corresponding packets. If all scan traffic must be consistently tagged with the correct ToS or Traffic Class, this can be accomplished through settings on the managed switch port instead.
TCP ports
The Included TCP ports and Excluded TCP ports fields can be used to override the default scan ports. The string “defaults” will lookup the current default port list at scan time. The current port list is:
1
7
9
13
17
19
21
22
23
25
37
42
43
49
53
69
70
79
80
81
82
83
84
85
88
102
105
109
110
111
113
119
123
135
137
139
143
161
179
222
264
280
384
389
402
407
442
443
444
445
465
500
502
512
513
515
523
524
540
548
554
587
617
623
631
636
664
689
705
717
743
771
783
873
888
902
903
910
912
921
990
993
995
998
1000
1024
1030
1035
1080
1083
1089
1090
1091
1098
1099
1100
1101
1102
1103
1128
1129
1158
1199
1211
1220
1234
1241
1260
1270
1300
1311
1352
1433
1440
1443
1468
1494
1514
1521
1530
1533
1581
1582
1583
1604
1610
1611
1723
1755
1801
1811
1830
1883
1900
2000
2002
2021
2023
2049
2068
2074
2082
2083
2100
2103
2105
2121
2181
2199
2207
2222
2224
2323
2362
2375
2376
2379
2380
2381
2443
2525
2533
2598
2601
2604
2638
2809
2947
2967
3000
3001
3003
3033
3037
3050
3057
3071
3083
3128
3200
3217
3220
3260
3268
3269
3273
3299
3300
3306
3311
3312
3351
3389
3460
3500
3502
3628
3632
3690
3780
3790
3817
3871
3872
3900
4000
4092
4322
4343
4353
4365
4366
4368
4369
4433
4443
4444
4445
4567
4659
4679
4730
4786
4840
4848
4949
4950
4987
5000
5001
5007
5022
5037
5038
5040
5051
5060
5061
5093
5168
5222
5247
5250
5275
5347
5351
5353
5355
5392
5400
5405
5432
5433
5498
5520
5521
5554
5555
5560
5580
5601
5631
5632
5666
5671
5672
5683
5800
5814
5900
5901
5902
5903
5904
5905
5906
5907
5908
5909
5910
5911
5920
5938
5984
5985
5986
5988
5989
6000
6001
6002
6050
6060
6070
6080
6082
6101
6106
6112
6161
6262
6379
6405
6443
6502
6503
6504
6514
6542
6556
6660
6661
6667
6905
6988
7000
7001
7002
7021
7070
7071
7077
7080
7100
7144
7181
7210
7373
7443
7474
7510
7547
7579
7580
7676
7700
7770
7777
7778
7787
7800
7801
7879
7902
8000
8001
8003
8006
8008
8009
8010
8012
8014
8020
8023
8028
8030
8080
8081
8082
8083
8086
8087
8088
8089
8090
8095
8098
8099
8100
8123
8127
8161
8172
8180
8181
8182
8205
8222
8300
8303
8333
8400
8443
8444
8445
8471
8488
8500
8503
8545
8649
8686
8787
8800
8812
8834
8850
8871
8880
8883
8888
8889
8890
8899
8901
8902
8903
8983
9000
9001
9002
9042
9060
9080
9081
9084
9090
9091
9092
9099
9100
9111
9152
9160
9200
9300
9380
9390
9391
9401
9418
9440
9443
9471
9495
9524
9527
9530
9593
9594
9595
9600
9809
9855
9999
10000
10001
10008
10050
10051
10080
10098
10162
10202
10203
10443
10616
10628
11000
11099
11211
11234
11333
12174
12203
12221
12345
12397
12401
13364
13500
13778
13838
14330
15200
15671
15672
16102
16992
16993
17185
17200
17472
17775
17776
17777
17778
17781
17782
17783
17784
17790
17791
17798
18264
18881
19300
19810
19888
20000
20010
20031
20034
20101
20111
20171
20222
20293
22222
23472
23791
23943
25000
25025
25565
25672
26000
26122
27000
27017
27018
27019
27080
27888
28017
28222
28784
30000
31001
31099
32764
32844
32913
33060
34205
34443
34962
34963
34964
37718
37777
37890
37891
37892
38008
38010
38080
38102
38292
40007
40317
41025
41080
41523
41524
44334
44343
44818
45230
46823
46824
47001
47002
47290
48899
49152
50000
50013
50021
50051
50070
50090
50121
51443
52302
52311
54321
54921
54922
54923
55553
55580
57772
61614
61616
62078
62514
65002
65535
Prescan modes for large IP spaces
Sometimes, the scope of your IP space is unknown, subnet usage is unknown, and the total number of assets is unknown. These unknowns can make it challenging to optimize your discovery scans for efficiency and speed. And when your IP space is large, like a /16 space with a few thousand IPs in use, a full discovery scan can take more time to complete, since it looks at more than 500 TCP ports and 15 UDP ports on every address. In these types of cases, you may want to tune your scan settings to prefilter ranges and IP addresses before a full scan.
runZero has two prescan modes that you can use to run a faster scan: subnet sampling and host ping.
Subnet sampling
Professional Enterprise
To speed up scans of large subnets you can use the “Only scan subnets with active hosts” advanced scan option. If this option is on, a prescan runs against the target space to identify the subnets with an active host. This mode leverages heuristics runZero has collected to identify addresses that are more likely to be responsive across subnets. This process allows runZero to quickly scan larger spaces by identifying the subnets that are in use, before starting full probes. All subnets that are identified as having active hosts are then fully scanned – unless you enable host pings.
There are two tweakable parameters for subnet sampling. The sample rate determines what percentage of addresses in each subnet are prescanned to determine if the subnet should be scanned. The subnet size determines how many IP addresses are in each subnet. By default, the subnet size is 256 addresses, corresponding to a /24 subnet, and 3% of the addresses in each subnet are prescanned.
Host ping
After you have some insights on the subnets that are in use, you may want to limit the full scan to only addresses that respond to the most common ping methods, such as ICMP and some TCP and UDP ports. If you choose the “Limit scans to pingable hosts” advanced scan option, only hosts that respond to a ping request will be fully scanned.
The runZero Explorer uses multiple protocols for ping scans:
- Conventional ICMP ping, performed by sending an ICMP echo request and looking for an ICMP echo reply.
- TCP ping, performed by sending a TCP SYN packet to a series of common ports and seeing whether the host responds with RST or TCP SYN/ACK.
- UDP ping, performed by sending a packet to port 65535 and checking for an ICMP response of port unreachable.
The set of ports used for TCP and UDP ping can be adjusted in the LAYER2 section of the Probes and SNMP tab when setting up a scan task.
Note that it is relatively common for enterprise firewalls to be set up to block ping, or for hosts to be set up not to respond to ping requests. Limiting scans to pingable hosts can therefore result in assets being missed entirely, even if their IP addresses are probed. If your goal is to speed up scan times, subnet sampling is usually the better option.
It’s possible to use both subnet sampling and limiting scans to pingable hosts at the same time, but this is not recommended except as a last resort for reducing scan times.