Network reconnaissance

Network reconnaissance is a term for testing for potential vulnerabilities in a computer network. This may be a legitimate activity by the network owner/operator, seeking to protect it or to enforce its acceptable use policy. It also may be a precursor to external attacks on the network.

Certain apparent reconnaissance activities, which would be highly suspicious if coming from outside the network, may be perfectly normal network performance and reliability monitoring when performed inside the boundaries of the network. Some network intrustion detection systems have difficulty in determining if a reconnaissance activity is internal or external, and generate many false alarms causing fear, uncertainty and doubt.

Address sweeps
Sometimes called ping sweeps, an address sweep principally is intended to discover whether specific Internet Protocol addresses in the network are associated with active computers. As a legitimate network management technique, this can be part of network discovery. To monitor the use of address space allocations, the address registries that allocate the addresses may scan organizations to see if they are using all their space, a scarce resource with Internet Protocol version 4.

Organizations accessible from the public Internet have assigned blocks of addresses, the ranges of which are available in address registries. The way in which the blocks are subdivided, and whether specific addresses are active, is not public information.

In practice, an existing network may not have been well documented, and a new network administrator may need to do network discovery just to document the subdivisions (i.e., "subnetting") and the existence of computers.

Port scanning
Port scanning actually covers a wide range of activities involving sending a stimulus to the Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) identifiers of specific services on specific computers. If an address sweep is analogous to checking if a building exists at a given street address, a port scan is closer to testing the doors to see if they are locked, or at least to see if specific apartments or rooms exist.

There is no single mechanism for port scanning, as different TCP and UDP services respond to different kinds of protocol messages.