Skip to main content


Home Network scanning

Network scanning

Network scanning definition

Network scanning is a process used to identify active devices (hosts), services running on them, and other details about the system and network. It involves probing a network or a system with packets (messages sent over a network to check its status) to gather useful information.

See also: vulnerability scanner, port scanning, nmap, scanning attack

How network scanning works

  1. 1.Host discovery. This step involves determining which hosts on a network are online or offline. This is typically done by sending a ping request to the target hosts and waiting for a response.
  2. 2.Port scanning. Once the active hosts are identified, the next step is to check which ports are open on those hosts. This is usually done by sending packets to the ports of the target hosts and waiting for a response.
  3. 3.Service detection. This step involves determining what services are running on the open ports. Each port is usually associated with a particular service.
  4. 4.Operating system detection. The last step often involves determining the operating system the host uses. This can be done through various techniques, like analyzing the responses to specific queries.

Types of network scanning

  • Ping sweep involves pinging a range of IP addresses to find out which ones respond.
  • Port scanning involves scanning a host to check which network ports are open or closed.
  • ARP scanning uses the Address Resolution Protocol (ARP) to map IP network addresses to the MAC addresses used by a data link protocol.
  • SYN, or half-open scanning involves sending a SYN packet (part of the TCP handshake) and waiting for a response. If a SYN-ACK packet is received, the port is open. If an RST (reset) packet is received, the port is closed.
  • Connect scanning uses the connect system call to try and establish a full TCP connection with the target machine. If the connection is successful, the port is open.
  • UDP scanning involves sending UDP packets to the target hosts. If an 'ICMP port unreachable' error is returned, the port is closed. If there's no response, the port might be open.
  • Version detection scanning helps to determine the version of the services running on open ports.

Dangers of network scanning

Network scanning, while crucial for network management and security assessments, can also pose risks, particularly if used maliciously. Some potential dangers associated with network scanning include:

  • System compromise. If a malicious actor performs network scanning, they can discover open ports, services, and system data. They can use this information to exploit known vulnerabilities and gain access to systems.
  • Data breach. Once a system is compromised, the attacker can access sensitive data, resulting in a data breach. The accessed data can include personal details, financial information, trade secrets, and more.
  • Unintentional denial of service (DoS). Excessive network scanning can unintentionally overload a network or system, causing it to slow down or even crash. This effect is often unintentional and is a side effect of poorly executed or overly aggressive scanning.
  • Disruption of network operations. Intensive network scans can consume significant network resources, slowing down the network's operations. This can disrupt business processes, especially in organizations that rely on network communications.