A console utility to discover local network hosts (devices).
Designed for speed: utilizes a customizable network scanning/probing pipeline in parallel mode. By default, uses up to 128 concurrent threads, completing a standard /24 SOHO subnet in a matter of seconds.
No elevated privileges required, runs completely in user-space. However, this imposes certain restrictions, not all scanning/probing methods can be implemented.
Cross-platform: Windows, Linux, macOS; and portable: the built binary contains all required dependencies within itself and may safely be copied wherever it's needed.
And, of course, colored console output with spinner 😊
Disclaimer: The application is in the alpha stage, not all planned features are implemented yet, and there may be bugs as well.
You can get a ready-to-go binary from /bin directory. The command line flags are as follows:
netscan <IP address or CIDR range> [OPTIONS]
The scan target is passed as an IP or CIDR string. In the latter case, network and broadcast IPv4 addresses are automatically omitted from the scan range.
Only private networks are allowed.
There's a limit of 65,536 addresses per single scan. This is not due to any code limitations, just an arbitrary decision like "ought to be enough for anybody" 😉
Options are used to configure the scanning pipeline. Each target address is challenged with different detection/probing methods sequentially. Currently available options are:
-c, --tcp TCP connection probe (not tested with IPv6 yet)
-n, --nbstat NetBIOS NBSTAT probe, only IPv4, useful against Windows machines
-p, --ping ICMP Echo (ping) probe (currently only Windows and only IPv4)
-a, --arp ARP passive discovery (local system cache lookup)
By default, if no options are provided, the TCP probing with ARP passive discovery is used.
The maximum number of parallel threads may be customized with -t, --threads switch. The default value is 128. One target is one thread, and one scanner takes approximately a second – that is, a ubiquitous IPv4 /24 home subnet (254 hosts) scan with all the 3 currently available scanners enabled (-cnp option) will last about 🚀 6 seconds. Nevertheless, you're safe to interrupt the program with Ctrl+C any time you wish.
It takes 5 easy steps. Ensure you have Go installed in your system (only for build, not required later to run, the Go binaries are self-contained) beforehand.
# 1. Clone the repository
git clone https://github.com/flexits/netscan
# 2. Navigate to project directory
cd netscan
# 3. Download dependencies
go mod tidy
# 4. Build the project
go build .
# 5. Run the application
./netscan
- Extend ICMP Echo functionality to IPv6 and Linux/macOS.
- More up to date or sophisticated probing techniques: maybe mDNS/LLMNR, SCTP Init, IPv6 Neighbor Solicitation, something else.
- Extended functionality like OS fingerprinting or banner grabbing, command-line switch to enable port scanning.
For those who are interested, you're not required to read this just to use the app.
First of all, external libraries: pterm to beautify console output and go-flags to parse command line arguments.
The target address range is processed, validated, and its boundaries (first and last addresses) are determined. To save memory (RAM is a bit 💰 pricey these days, isn’t it?), we do not pre-generate an array of target addresses for the range; instead, the next address is calculated dynamically on demand.
Each detection method is implemented as a discrete thread-safe piece of code. All scanners have a uniform Scanner interface and there's a ScannersManager service that takes the parsed user input and creates only the needed scanners. Every scanner has 1 second timeout (maybe will fine-tune later if needed).
For each target address we start a dedicated goroutine (with respect to the limit, of course - after we've hit the ceiling, we're waiting for some goroutines to complete). Inside the goroutine, we get the configured scanners from the ScannersManager and call the scanning code in sequence.
The scan results are filtered (the unreachable and unknown hosts are removed) and printed on the screen.
TCP scanner attempts to open connection to the target host on a number of ports (80, 443, 22, 445, 3389). Uses the standard Go runtime, nothing fancy.
NetBIOS scanner works the same way, sends the NBSTAT question to the target's 137/UDP and waits for the answer. It's rather ancient, only IPv4 by design and is useful mainly against Windows machines (maybe also some printers and stuff like that).
ICMP Echo scanner (Windows) utilizes IcmpSendEcho WinAPI function to send requests and get responses. For Linux/macOS I'll probably stick with Google's x/net/icmp package.
ARP parser (macOS, *BSD) utilizes the corresponding native syscall and is based on the code of goarp project which in it's turn is an adaptation of the *BSD arp utility source code.
ARP parser (Windows) processes the "arp -a" output and Linux version reads "/proc/net/arp".