Coverage reports help you understand potential blind spots on your network by identifying which IP spaces have been scanned, which ones contain assets, and which ones still are unknown. With this information, you can find things like missing subnets, rogue devices, and misconfigurations.
How do I access the coverage reports?
The RFC1918 coverage report helps you better track and identify the subnets that are in use on your internal network, the ones have been scanned, and the ones that haven’t been scanned.
TCP/IP version 4 reserves three ranges of IP addresses for private use. Specified in RFC1918, they are:
|CIDR||Address range||Number of addresses|
|10.0.0.0/8||10.0.0.0 - 10.255.255.255||16,777,216|
|172.16.0.0/12||172.16.0.0 - 172.31.255.255||1,048,576|
|192.168.0.0/16||192.168.0.0 - 192.168.255.255||65,536|
Most companies use these address ranges for their internal IPv4 networks, connecting them to the Internet via Network Address Translation (NAT).
To help you visualize and assess your RFC1918 coverage, the RFC1918 report includes:
A common network security and administration goal is to scan all of the available private IP addresses, to detect which subnetworks are in use on your internal network. Because of the large number of addresses, this can take a long time, leaving the problem of tracking which addresses have been scanned and which have not.
To solve this problem, Rumble’s coverage report shows a graphical map of the RFC1918 private address spaces, showing which pieces have been scanned and to what percentage of completion. This is found under Reports on the main menu, as the Coverage tab.
In the following example, we’re looking at the top left corner of a 10.0.0.0/8 coverage map.
Below is the top left corner of a 10.0.0.0/8 coverage map. The 10.0.0.0/16 subnet has been scanned to 5% completion, 10.1.0.0/16 hasn’t been scanned at all, 10.2.0.0/16 has been 17% scanned, and so on. On the second row, 10.17.0.0/16 has been scanned 32% (row value 16 + column value 1 = 17).
Rumble will sometimes detect that a device has additional IP addresses which are not part of the range being scanned. This can indicate that the device is present on an unscanned part of the private IP address space. The coverage reports show this by drawing a red border around the appropriate grid cell.
So in the above image, 10.17.0.0/16 contains at least one IP address which was detected as belonging to a device, but which hasn’t been scanned yet – it’s part of the 68% of the address range remaining unscanned. Meanwhile, 10.18.0.0/16 is completely unscanned, and also apparently contains at least one IP address that is in use.
You can hover the mouse cursor over a cell to see a tooltip showing the CIDR address range the cell represents, how many unscanned hosts are believed to be in theat range, and what percentage of the entire range has been scanned.
For the 192.168.0.0/16 map, each cell on the grid represents a /24 (256 addresses). Clicking a cell will take you to the subnet analysis report for that range and list the assets found.
For a map that shows a large address range, such as 10.0.0.0/8, each cell represents an entire /16 range of 65,536 addresses. To help narrow down the search for assets and unscanned hosts, you can click on any cell that represents a /16 range to go a grid map that showing just that range. From a /16 grid, you can use the link at top right to go back to the full range map.
On the /16 sub-grids, each cell is a /24, so clicking one takes you to the subnet analysis for that specific cell’s address range, like on the 192.168.0.0/16 map.
At the top of the coverage report page, you can see statistics showing how much of the RFC1918 address space you have scanned. Another box breaks the coverage down by the three blocks of reserved addresses.
Clicking the binoculars icon in the summary box will create a sample scan task, covering the unscanned address ranges. The refresh buttons create scan tasks to rescan all of the appropriate range.