Passive sampling

As well as active scans, you can set up runZero Explorers to listen passively for network traffic. While network scans will typically provide better information, passive sampling can be useful on networks where you are not permitted to scan. It can also be useful for finding new hosts on the network.

Only one of sampling or scanning can be active on a single Explorer at any time, but you can schedule scan tasks for an Explorer with passive sampling enabled and the system will ensure that the scans still run. When the Explorer has no tasks assigned, it will go back to passive sampling.

Configuring passive sampling

Passive sampling is set up on the Explorer configuration page. Choose Deploy from the left navigator and click on an Explorer. The Passive traffic sampling box allows you to configure the feature.

The network interfaces available to the Explorer will be shown on the left. You do not need to use an interface connected to a SPAN or TAP port; a regular network interface will work.

The network interface used for passive sampling needs to permit promiscuous mode, where all traffic is passed unfiltered. If it does not, passive sampling will fail and an empty task will be created with an error shown.

The Discovery scope specifies the range of IP addresses to create assets for if traffic is seen. You can also specify Excluded hosts if there are IP addresses you want to ignore traffic from.

The Site option allows you to set the site where newly discovered assets will be created. It has no affect on the range of IP addresses assets are created for.

You can set Asset tags on assets discovered through passive traffic sampling. This can be helpful for reviewing the new assets and setting up scans to obtain more information about them.

Updated