Discovering Assets

A discovery scan finds, identifies, and builds an inventory of all the connected devices and assets on your internal network. Running a discovery scan routinely will help you keep track of and know exactly what is on your network.

Discovery scans are configured by site, explorer, and scope. In order to run a scan against a specific site, an explorer must be activated and either assigned to that site or configured for all sites.

When creating a new scan, you have multiple parameters you can set, ranging from scheduling a date to more advanced options. To launch a discovery scan, browse to the Inventory page and click the New Scan button in the upper right.

Rumble inventory menu buttons

Target site

Rumble organizes information into organizations and sites. Organizations are distinct entities that are useful for keeping data separate and contain a collection of sites. Sites help segment networks and contain a collection of assets. Since analysis occurs at the site level, the boundaries you define for a site sets the scope for scans.

Each site has a set of registered agents that you can select for the scan. The agent you choose for the site must be able to directly communicate with the networks you have defined for the discovery scope.

Discovery explorer

Select the explorer to run the scan from.

This explorer should be able to reach all networks listed in the Scope, preferably without a firewall in the way. Stateful firewalls and VPN gateways may interfere with the discovery process and scans should instead be performed from an explorer with direct network access.

Discovery scope

The Scope defines what IP ranges will be scanned. The scope uses the Site settings when specified as “defaults”, but may be changed on a per scan basis as well. The scope should include at least one IP address or hostname. IP address ranges can be specified in most standard formats:

  • 10.0.0.1
  • 10.0.0.0/24
  • 10.0.0.0/255.255.255.0
  • 10.0.0.1-10.0.0.255

Hostnames specified in the scope will be resolved at runtime by the assigned explorer. If the hostname returns multiple IP addresses, all addresses in the response will be scanned. Hostnames can also have masks applied, indicting that the mask should expand to each resolved address of the hostname. For example, if example.com resolves to both 1.2.3.4 and 5.6.7.8, the input of example.com/24 would become 1.2.3.0/24 and 5.6.7.0/24.

Scan name

Assign a name to your Scan task to make it easier to keep track of.

Schedule

You can set a date and frequency for your scan task. Dates and times take into account your browser’s advertised timezone.

Scans scheduled to start in the past will be launched immediately and then repeated at the specified time based at the frequency selected.

Scan speed

Specify the maximum packet rate for the discovery process. 500 is conservative, 3000 works for most LANs, 10000 or more may be helpful for large sites with fast connectivity.

Schedule grace period

Specify the the number of hours to wait for an available explorer before giving up on this scan. A zero or negative value will result in the scan retrying indefinitely until an explorer becomes available.

Advanced scan options

The Advanced Options button can be used to display and modify additional scan settings, such as network exclusions, scan speed, the ports covered by the TCP scan, and which probes are enabled. The default settings should work for most organizations but may need to be tweaked for slow networks or unreliable links.

TCP ports

The TCP ports field can be used to override the default scan ports. The string “defaults” will lookup the current default port list at scan time. The current port list is:

1, 7, 9, 13, 19, 21, 22, 23, 25, 37, 42, 49, 53, 69, 79, 80, 81, 82, 83, 84, 85, 88, 102, 105, 109, 110, 111, 113, 123, 135, 137, 139, 143, 161, 179, 222, 264, 384, 389, 402, 407, 443, 445, 465, 500, 502, 512, 513, 515, 523, 524, 540, 548, 554, 587, 617, 623, 631, 636, 689, 705, 771, 783, 873, 888, 902, 903, 910, 912, 921, 993, 995, 998, 1000, 1024, 1030, 1035, 1080, 1089, 1090, 1091, 1098, 1099, 1100, 1101, 1102, 1103, 1128, 1129, 1158, 1199, 1211, 1220, 1234, 1241, 1300, 1311, 1352, 1433, 1440, 1494, 1521, 1530, 1533, 1581, 1582, 1583, 1604, 1720, 1723, 1755, 1811, 1883, 1900, 2000, 2049, 2082, 2083, 2100, 2103, 2121, 2181, 2199, 2207, 2222, 2323, 2362, 2375, 2379, 2380, 2381, 2525, 2533, 2598, 2601, 2604, 2638, 2809, 2947, 2967, 3000, 3037, 3050, 3057, 3128, 3200, 3217, 3273, 3299, 3306, 3311, 3312, 3351, 3389, 3460, 3500, 3628, 3632, 3690, 3780, 3790, 3817, 4000, 4322, 4433, 4443, 4444, 4445, 4567, 4659, 4679, 4730, 4786, 4840, 4848, 5000, 5038, 5040, 5051, 5060, 5061, 5093, 5168, 5222, 5247, 5250, 5351, 5353, 5355, 5400, 5405, 5432, 5433, 5498, 5520, 5521, 5554, 5555, 5560, 5580, 5601, 5631, 5632, 5666, 5672, 5683, 5800, 5814, 5900, 5920, 5938, 5984, 5985, 5986, 6000, 6001, 6002, 6050, 6060, 6070, 6080, 6082, 6101, 6106, 6112, 6262, 6379, 6405, 6502, 6503, 6504, 6542, 6660, 6661, 6667, 6905, 6988, 7001, 7021, 7071, 7077, 7080, 7144, 7181, 7210, 7443, 7474, 7510, 7547, 7579, 7580, 7700, 7770, 7777, 7778, 7787, 7800, 7801, 7879, 7902, 8000, 8008, 8009, 8012, 8014, 8020, 8023, 8028, 8030, 8080, 8081, 8087, 8088, 8089, 8090, 8095, 8098, 8161, 8180, 8205, 8222, 8300, 8303, 8333, 8400, 8443, 8471, 8503, 8545, 8686, 8800, 8812, 8834, 8880, 8883, 8888, 8899, 8901, 8902, 8903, 9000, 9002, 9042, 9060, 9080, 9081, 9084, 9090, 9092, 9099, 9100, 9111, 9152, 9160, 9200, 9300, 9390, 9391, 9418, 9443, 9471, 9495, 9809, 9855, 9524, 9595, 9527, 9530, 9999, 10000, 10001, 10008, 10050, 10051, 10080, 10098, 10162, 10202, 10203, 10443, 10616, 10628, 11000, 11099, 11211, 11234, 11333, 12174, 12203, 12221, 12345, 12397, 12401, 13364, 13500, 13838, 14330, 15200, 15672, 16102, 16992, 16993, 17185, 17200, 18264, 18881, 19300, 19810, 19888, 20000, 20010, 20031, 20034, 20101, 20111, 20171, 20222, 22222, 23472, 23791, 23943, 25000, 25025, 26000, 26122, 27000, 27017, 27019, 27080, 27888, 28017, 28222, 28784, 30000, 30718, 31001, 31099, 32764, 32913, 34205, 34443, 34962, 34963, 34964, 37718, 37777, 38080, 38292, 40007, 40317, 41025, 41080, 41523, 41524, 44334, 44818, 45230, 46823, 46824, 47001, 47002, 48899, 49152, 50000, 50013, 50070, 50090, 52302, 55553, 57772, 61616, 62078, 62514, 65535

Set prescan modes for large IP spaces

Sometimes, the scope of your IP space is unknown, subnet usage is unknown, and the total number of assets are unknown. These unknowns can make it challenging to optimize your discovery scans for efficiency and speed. And when your IP space is large, like a /16 space with a few thousand IPs in use, a full discovery scan can take more time to complete, since it looks at more than 500 TCP ports and 15 UDP ports on every address. In these types of cases, you may want to tune your scan settings to prefilter ranges and IP addresses before a full scan.

Rumble has two prescan modes that you can use to run a lighter scan: subnet ping and host ping.

Subnet ping

To tweak the scan settings, and speed it up, you can set the “Only scan subnets with active hosts” advanced scan option on the Scan configuration page. If this option is on, a prescan runs against the target space to identify the subnets with an active host. This mode leverages heuristics Rumble has collected to identify addresses that are more likely to be responsive across subnets. This process allows Rumble to quickly scan larger spaces by identifying the subnets that are in use, and before starting probes. All subnets that are identified are fully scanned–unless you enable host pings.

Host ping

After you have some insights on the subnets that are in use, you may want to limit the full scan to only addresses that respond to the most common ping methods, such as ICMP and some TCP and UDP ports. Only hosts that respond to the request will be fully scanned. Choose the “Only scan hosts that respond to pings” advanced scan option on the Scan configuration page. You can use this option in conjunction with subnet pings to accelerate your scan time.