---
title: "Active scanning"
---
An ((active scan)) identifies all responsive devices on a given network, fingerprints these devices, and populates the asset, services, screenshot, and software inventory. Regular scans of internal and external networks is an important step in network management. Scans are configured by site, Explorer, and scan scope. The scan scope can include IP ranges, domain names, ASNs, and even entire country codes.

When creating a new scan, you have multiple parameters you can set, ranging from scheduling a date to more advanced options. To get started, login to the runZero Console, select Scan from the Data sources section of the navigation menu, and choose "Start Standard Scan". Scans can also be launched from the Inventory views.

<iframe src="https://demo.arcade.software/Q7h75Uukgz57Q82Qv4gH?embed" loading="lazy" allowfullscreen title="Walkthrough - Basic Scan Configuration"></iframe>

## Site {#discovering-site}

runZero organizes information into ((organizations)) and ((sites)). Organizations are distinct entities that are useful for keeping data separate and contain a collection of sites. Sites are used to model segmented networks, particularly independent networks which use the same private IP address ranges. 

For example, you might have multiple physical locations with their own local networks, all using the 10.0.0.0/8 private IP range. By defining them as sites, you can set up an Explorer for each, and the networks and assets will be treated as completely independent even if similar systems are seen at the same IP addresses in each.

<div class="alert alert-info">
<svg class="alert-icon" xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="12" cy="12" r="10"></circle><line x1="12" y1="16" x2="12" y2="12"></line><line x1="12" y1="8" x2="12.01" y2="8"></line></svg>
<div class="alert-body">
runZero treats each site as a separate IP space. This enables overlapping subnets within an organization, but can result in duplication if the same network is scanned in different sites within the same organization.
</div>
</div>

Since scan analysis occurs at the site level, the boundaries you define for a site set the default scope for scans for that site.

## Explorer {#discovering-explorer}

Select the ((Explorer)) to run the scan from, chosen from the set of registered Explorers for the site. The Explorer you choose must be able to directly communicate with the networks and addresses you define for the discovery scope. The chosen Explorer should ideally be able to reach all addresses in the scope directly, without a firewall in the way. ((Stateful firewalls)) and ((VPN gateways)) may interfere with the discovery process.

## Hosted External Explorer {#discovering-hosted-external-explorer}
<!-- licenses: community, platform -->

runZero Platform users can perform scans of public IP space using runZero-hosted Explorers. When creating a scan, choose a ((Hosted External Explorer)) in the 'Run task with' dropdown. When using this option, the discovery scope must use public IP addresses or ranges, or resolve to public IP space.

## Discovery scope

The discovery ((scope)) defines the IP addresses that will be scanned. The scope uses the site settings when specified as they keyword "defaults", but may be changed on a per-scan basis as well. The scope should include at least one IP address or hostname. IPv4 ((address ranges)) can be specified in most standard formats:

  * `10.0.0.1`
  * `10.0.0.0/24`
  * `10.0.0.0/255.255.255.0`
  * `10.0.0.1-10.0.0.255`

IPv6 addresses can be specified individually, but IPv6 ranges are not supported. 

((Hostnames)) specified in the scope will be resolved at runtime by the assigned Explorer. If the hostname returns multiple IP addresses, all addresses in the response will be scanned. Hostnames can also have masks applied, indicating that the mask should expand to each resolved address of the hostname. For example, if `example.com` resolves to both `1.2.3.4` and `5.6.7.8`, the input of `example.com/24` would become `1.2.3.0/24` and `5.6.7.0/24`. IPv6 addresses returned from hostname resolution will be scanned if the Explorer has a valid IPv6 address and route to the target.

<div class="alert alert-info">
<svg class="alert-icon" xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="12" cy="12" r="10"></circle><line x1="12" y1="16" x2="12" y2="12"></line><line x1="12" y1="8" x2="12.01" y2="8"></line></svg>
<div class="alert-body">
runZero load balances the scan across as many subnets as possible, in a quasi-random order.
</div>
</div>

### Discovery keywords

The following keywords are supported for both scan scopes and exclusions.

 * **asn4**: The `asn4:<AS number>` keyword can be used to specify IPv4 ranges associated with a given AS number. 

 * **country4**: The `country4:<ISO code>` keyword can be used to specify IPv4 ranges associated with a given two-character country code.

 * **public** and **private**: The `public:<mode>` and `private:<mode>` keywords can be used to specify IPv4 and IPv6 addresses associated with assets in the current organization. The mode parameter can be set to `all`, `primary`, or `secondary` to indicate which IP addresses are used. The `public` keyword selects all non-reserved IP addresses associated with organization assets. The `private` keyword selects all RFC-1918 and private use IP addresses associated with organization assets.

 * **domain**: The `domain:<domain>` keyword is available to cloud-hosted users and uses the syntax `domain:<domain name>` to automatically select publicly-known hostnames for a given domain name.

## Scan name

You can assign a name to your Scan task to make it easier to keep track of. 

## ((Scan speed))

Specify the maximum ((packet rate)) for the overall discovery process, in network packets per second. 500 is conservative, 3000 works for most LANs including WiFi, 10000 or more may be helpful for large sites with fast connectivity.

The scan speed directly affects how long the scan will take to complete. An approximate formula is:

> time in seconds = hosts × ports × attempts ÷ scan speed

The number of hosts scanned is primarily determined by the discovery scope. The number of ports is around 500 by default, and three attempts are made to connect.

The number of hosts and ports scanned can be affected by the advanced scan options, and speed can also be impacted by maximum host rate and group size; see the descriptions of the advanced scan options below.

Note also that this formula doesn't take into account time taken to take screenshots, follow web server redirects, or process the scan data.

## ((Schedule|scheduled scans))

You can set a date and frequency for your scan task. Dates and times take into account your browser's advertised timezone. 

Scans scheduled to start in the past will be launched immediately and then repeated at the specified time based at the frequency selected. 

## Scheduling ((grace period))

Specify the number of hours to wait for an available Explorer before giving up on this scan. A zero or negative value will result in the scan retrying indefinitely until an Explorer becomes available.

## Scan duration limit

You can specify a number of hours to limit scan duration to; if scanning is still in progress after this time has elapsed, the scan will be canceled. This does not limit processing time.

If you set this to 0, no limit is applied.

## Advanced scan options

The Advanced tab can be used to display and modify additional scan settings, such as network exclusions, scan speed, the ((ports)) covered by the TCP scan, and which ((probes)) are enabled. The default settings should work for most organizations but may need to be tweaked for slow networks or unreliable links. 

### Maximum host rate

As well as setting an overall scan rate in packets per second, you can also control the maximum rate at which packets are sent to any single host IP address. This is useful when you have devices which are easily overloaded by network traffic. The default should be safe for most systems.

### Max group size

When runZero scans your network, it spreads the scan load across many IP addresses at once. The ((max group size)) determines how many IP addresses can be actively scanned at once -- allowing for the fact that hosts may take some time to respond to probes. The max group size needs to be at least as large as the overall scan speed, or else it would limit the speed of the scan to below the set value. If you provide a value that's lower than the overall scan speed, it will be increased automatically at scan time.

The max group size is mostly useful when dealing with stateful network devices that can only track a limited number of connections at once, as a way to restrict how many active TCP sessions will result from a runZero scan.

### Max TTL

The IP standards define a maximum hop count for packets. In IPv4, this is called the ((Time To Live)) or TTL, while on IPv6 this is called the Hop Limit. Every device processing a packet must decrease the TTL or Hop Limit one. If this value reaches zero, the route receiving the packet must discard the packet. This setting can be used to set the maximum hop limit for scan traffic.

### ToS

The IP standards define a ((Type of Service)) or ToS for packets. In IPv4, this is called the ((Type of Service)) or ToS, while on IPv6 this is called the Traffic Class or TC. The ToS or Traffic Class is used by switches and routers to prioritize network traffic. The lower bits of the IPv4 ToS are also used for congestion controller. This setting can be used to set the ToS or Traffic Class for scan traffic. Please note that the ToS/Traffic Class settings do not apply to all traffic sent by runZero, but instead are limited to the basic discovery probes. Some protocols, such as SNMP, and integrations, such as VMware, do not set the ToS/Traffic Class fields on their corresponding packets. If all scan traffic must be consistently tagged with the correct ToS or Traffic Class, this can be accomplished through settings on the managed switch port instead.


### TCP ports

The **Included TCP ports** and **Excluded TCP ports** fields can be used to override the default scan ports. The string "defaults" will lookup the current default port list at scan time. The current port list is:

<p class="ports">
<!-- include portList -->
</p>

### Prescan modes for large IP spaces

Sometimes, the scope of your IP space is unknown, subnet usage is unknown, and the total number of assets is unknown. These unknowns can make it challenging to optimize your discovery scans for efficiency and speed. And when your IP space is large, like a /16 space with a few thousand IPs in use, a full discovery scan can take more time to complete, since it looks at more than 500 TCP ports and 15 UDP ports on every address. In these types of cases, you may want to tune your scan settings to prefilter ranges and IP addresses before a full scan.

runZero has two ((prescan modes)) that you can use to run a faster scan: ((subnet sampling)) and ((host ping)).

#### Subnet sampling

<!-- licenses: community, platform -->

To speed up scans of large subnets you can use the **"Only scan subnets with active hosts"** advanced scan option. If this option is on, a prescan runs against the target space to identify the subnets with an active host. This mode leverages heuristics runZero has collected to identify addresses that are more likely to be responsive across subnets. This process allows runZero to quickly scan larger spaces by identifying the subnets that are in use, before starting full probes. All subnets that are identified as having active hosts are then fully scanned -- unless you enable host pings.

There are two tweakable parameters for subnet sampling. The ((sample rate)) determines what percentage of addresses in each subnet are prescanned to determine if the subnet should be scanned. The ((subnet size)) determines how many IP addresses are in each subnet. By default, the subnet size is 256 addresses, corresponding to a /24 subnet, and 3% of the addresses in each subnet are prescanned.

#### Host ping

After you have some insights on the subnets that are in use, you may want to limit the full scan to only addresses that respond to the most common ping methods, such as ICMP and some TCP and UDP ports. If you choose the **"Limit scans to pingable hosts"** advanced scan option, only hosts that respond to a ping request will be fully scanned.

The runZero Explorer uses multiple protocols for ping scans:
- Conventional ((ICMP ping)), performed by sending an ICMP echo request and looking for an ICMP echo reply.
- ((TCP ping)), performed by sending a TCP SYN packet to a series of common ports and seeing whether the host responds with RST or TCP SYN/ACK.
- ((UDP ping)), performed by sending a packet to port 65535 and checking for an ICMP response of port unreachable.

The set of ports used for TCP and UDP ping can be adjusted in the LAYER2 section of the Probes and SNMP tab when setting up a scan task.

Note that it is relatively common for enterprise firewalls to be set up to block ping, or for hosts to be set up not to respond to ping requests. Limiting scans to pingable hosts can therefore result in assets being missed entirely, even if their IP addresses are probed. If your goal is to speed up scan times, subnet sampling is usually the better option.

It's possible to use both subnet sampling and limiting scans to pingable hosts at the same time, but this is not recommended except as a last resort for reducing scan times.