Passive sampling
runZero Explorers can identify assets, services, and vulnerabilities by passively monitoring network traffic. Passive sampling can be an alternative data source when active scanning is prohibited and helpful at identifying unknown IP ranges. Passive sampling tasks are limited to using a single CPU core and will temporarily skip packets when this limit is reached. If an active scan is run on an Explorer with a passive sampling task, the passive task will be interrupted, and then restarted once the active scan completes.
Configuring passive sampling
Passive sampling can be configured from the Explorer details screen. Choose Deploy from the left navigator and click on an Explorer. The network interfaces available for passive sampling will be shown on the left. Once enabled, the sampling task will process any available traffic received on these interfaces, including plain layer-2 frames from SPAN and TAP ports, encapsulated traffic using 802.1q (aka VLAN or QinQ), and layer-3 encapsuled traffic using GRE or VXLAN. While a full SPAN capture will provide the best results, any traffic, including broadcast, is useful for additional enrichment.
Passive sampling tasks will automatically enabled promiscuous mode for the specified interfaces. Some virtual infrastructure, such as VMware ESXi, may require promiscuous mode to be enabled on the virtual switch before traffic is forwarded to the interface.
The Discovery scope specifies which IP ranges should be considered for asset, service, and vulnerability creation. Traffic that doesn’t include a source or destination within an allowed range will be ignored. You can also specify Excluded hosts if there are IP ranges you want to skip.
The Site option specifies where assets should be created and updated. If the same IPs exist in other sites, this can lead to duplicate asset records.
You can set Asset tags for systems identified through passive traffic sampling. This can be helpful for reviewing the new assets and setting up scans to obtain more information about them.