Tuesday, December 24, 2013

TIP: Managed Switch Port Mapping Tool Update Check

The Managed Switch Port Mapping Tool has a method for checking for updates that simply grabs a small file from our website, then checks the running version against what the file indicates is the latest version. That works fine for interactive (manual) mode, but if you are using the software from the command line on a scheduled basis, it would be better if you turned off the version check.

How to turn the version check on or off:

  1. Start the Managed Switch Port Mapping Tool and press the Global Settings button on the left panel. See the screenshot from v2.21 below.
  2. 'Uncheck' the box labeled Enable Internet Software Version Check.

If you do turn it off, you might consider signing up for our new version notification email by clicking on Help/New Release Notification Signup or manually checking for a new version once a month by clicking on Help/Check for Update. Otherwise you may be stuck with an old version for a long, long time.

Saturday, December 21, 2013

Managed Switch Port Mapping Tool v2.21 released December 20, 2013

This is an important release - especially if you rely on the history database (history.db3) for anything. There was a problem writing multirow mac address, IP address, hostname and interface manufacturer cells (ports with several devices attached to them, like other switches) to the history database. This has been corrected along with several other minor changes. I also move to address an issue with SQLITE_BUSY message handling, so if you are on a slow computer with a slow hard drive, it should work better for you.

You can download this release from http://www.SwitchPortMapper.com/ or from NetScanTools.com. We've also recently added an FTP link for those of you with a strange problem downloading using older versions of Internet Explorer. FTP seems to work, while HTTP on old IE sometimes results in a corrupted zip file. I have no idea why that's happening because the problem shows up for those people no matter which site they download from. Strange.

This release has been fully tested on Windows 8.1, 7 and XP. Other operating systems newer than XP should work fine.

Here is the list of detailed changes:
-Corrected problem saving multirow cells (ports with 2 or more attached mac addresses) to the history database. This affects MAC Address, IP Address, Hostname and Interface Manufacturer columns.
-Changes to SQLite interface to better handle the rare occurrence of SQLITE_BUSY messages.
-Improved retrieval of serial number, model number and software versions from Netgear switches.
-Added analysis of used/unused Gigabit Ethernet (type 117) ports on a switch.
-Added new table to history database saving the dot1dBasePortIfIndex for future use.
-Added checkboxes to control the visibility of the auth and priv passwords in the SNMPv3 settings window.
-Added warning to SNMPv3 settings window regarding AuthPriv mode when the database is unprotected.
-Improved SNMPManager utility to better check versions of libeay32.dll.
-Updated SQLite to version 3.8.2
-Updated MAC address/Manufacturer database.

Monday, November 4, 2013

Important NetScanTools Pro v11.53 Release

NetScanTools Pro v11.53 (installed) was released on November 1, 2013. This is a very important release because of the type of fixes that are in it. These fixes affect any of the tools that use WinPcap for capturing or sending packets. The WinPcap fixes are important if you use NetScanTools Pro on a machine where the network interface does not support promiscuous mode (normally WiFi 802.11) or you have more than one network interface on the machine.

If your network interface does not support promiscuous mode, all versions prior to 11.53 will not be able to open the interface resulting in a message similar to this one: "Error: Cannot open interface for packet sending. Please exit and restart NetScanTools Pro".

This means you cannot fully utilize tools that depend on WinPcap - for example the WinPcap ICMP mode of Traceroute will not work. The change in 11.53 allows the interface to be automatically opened in non-promiscuous mode if the open in promiscuous mode fails. If an adapter can be opened in promiscuous mode, all packets passing by it are passed along to the host system, however, if it is opened in 'normal' mode, then only packets intended for the system are passed to the host system. This mostly affects WiFi adapters so now you may find that NetScanTools Pro works much better with your WiFi network interface. Error message reporting has been significantly improved at the same time.

If you have more than one network interface on the system running NetScanTools Pro, all versions prior to 11.53 will only be able to send packets to the local network associated with the secondary interface. In other words if a packet sent out the secondary interface is intended for a destination beyond the default gateway, it will not get there because the default gateway mac address was not being obtained correctly. It now is obtained correctly so packets will go out the secondary interface default gateway as intended.

The WinPcap related changes affected ARP Ping, ARP Scan, Duplicate IP Address Scanner, OS Fingerprinting, Packet Capture Playback, Packet Generator, Ping, Port Scanner, Promiscuous Mode Scanner, Traceroute, Connection Monitor, Packet Capture, Passive Discovery, SNMP Dictionary Attack and SNMP Scanner.

Other changes include:
  1. The improvement of administrator privileges detection which affects TimeSync - doing a clock synchronization and DNS Tools Core Edit Hosts File. Some portions of Network Connection Endpoints are also affected.
  2. Addition of a column showing the DHCP Server MAC Address to the DHCP Server Discovery Tool.
  3. Packet Capture Playback now supports sending .pcap files in addition to .cap files.
  4. Ping Enhance/TCP Ping now correctly send the number of packets you designate.
  5. SQLite was updated to 3.8.1 and the database files were updated.

Version 11.53 is available to all those will active maintenance plans. Click on Help/Check for New Version to obtain it.

Opening a WinPcap Compatible Network Interface

Sometimes a network interface is WinPcap compatible meaning it can be opened with WinPcap, but opening it with the methods found in the example code for developers can fail. The examples usually show opening the interface using the PCAP_OPENFLAG_PROMISCUOUS. While that normally works fine for wired interfaces, wireless interfaces (WiFi 802.11) may not open - in fact according to a Winpcap-users post from 2008 regarding v4, "most of the wireless cards do not support promiscuous mode. The call to pcap_open with PCAP_OPENFLAG_PROMISCUOUS should fail" - see http://www.winpcap.org/pipermail/winpcap-users/2008-June/002532.html

Here is typical code from the examples:

pcap_t *hDev = pcap_open(deviceName, 65536, PCAP_OPENFLAG_PROMISCUOUS, 1000, NULL, errMsg1);

If it fails to open because the interface cannot support promiscuous mode, hDev is NULL and errMsg1 will contain a string like this: "failed to set hardware filter to promiscuous mode".

A good way of dealing with this is to first try opening the interface, then if hDev is NULL try opening it without the flag:

hDev = pcap_open(deviceName, 65536, 0, 1000, NULL, errMsg2);

Then if hDev is still NULL, report both errMsg1 and errMsg2 to the user. If they both fail you will need to avoid doing any further winpcap function calls except to do pcap_freealldevs because you most likely uses pcap_findalldevs_ex before trying to open an interface and it allocates the device list from which deviceName was found.

Why is opening an interface in promiscuous mode important? When a network interface card (NIC) is opened in promiscuous mode, all packets seen by the interface are captured and passed to the host system, while an interface opened normally only captures packets strictly intended for it alone. So if you are running a utility like NetScanTools Pro Packet Capture or Wireshark, you will most likely want to be running in promiscuous mode so you can see all the packets passing by the interface.

WinPcap v4.1.3 is the most current version as of this discussion. Please visit http://www.winpcap.org/

Friday, October 11, 2013

Managed Switch Port Mapping Tool v2.13 released Oct 10, 2013

I debated as to whether this should be 2.13 or 2.2 because normally a .2 release would mean new features. This release has new features, but in the end I settled on 2.13 because most of the changes were fixes to the LLDP and CDP columns.

The new features are showing the Switch Alias that you have created for a switch when you view the Left Panel/Select Config or Switch Lists/Edit Switch Config. This makes it much easier to see which switch you are wanting to deal with as opposed to seeing only the switch IP address.

The LLDP changes were numerous. First of all, LLDP is not indexed by ifIndex, it's indexed by any of a number of ways. Usually by the interface name, description or alias. It now works much better and will provide LLDP info in the right cell for most indexing options. The other big issue for LLDP was the IP address. Previously we were using the MAC address which is almost always sent in LLDP to lookup the IP in the database. But that didn't always work. So now if the switch has extended LLDP info, we get the IP address of the attached device from the switch LLDP data. In fact, we show them both and indicate the source of the IP address. IPv4 and IPv6 are supported from the extended LLDP info. Another problem with the previous way we reported LLDP was that if the field had no information, it was simply left blank. Now, in keeping with the way Cisco does it from CLI (show lldp neighbors), we use the statement 'not advertised'. That way you know that the data was not available to us.

The statement 'not advertised' was also extended to CDP, which by the way is indexed by ifIndex. There was also a correction to the parsing of the device capabilities field from CDP. You should not see 'unknown' very often any longer.

There was one other change to the number of rows displayed. You may see more loopback rows or similar. And as usual, the MAC Address to Manufacturer database was updated.

Please visit http://www.SwitchPortMapper.com/ to download the latest version 2.13.

Wednesday, October 2, 2013

NetScanTools Pro v11.52 Released Sept 24, 2013

NetScanTools Pro 11.52 was released last week and it has several improvements and updates the databases.

Packet Generator will now work better on Windows 8.x in that the operating system will no longer think it is 'not responding' while sending streams of packets. Earlier versions of Windows do not get confused like this, but apparently Windows 8 expects the message queue to be pumped more often. If the message queue is not cleared quickly enough Windows 8 grays out the software and calls it 'non-responding' which clearly was not the case with the Packet Generator.

Several things were done in Ping and Traceroute to give the user better feedback when the Windows Firewall settings are not allowing outgoing packets to be captured by WinPcap. Without knowing when the outgoing packets are sent, it's difficult to establish round-trip-time. A message will now appear explaining the problem and telling you to change the firewall settings or temporarily turn it off. The timing calculation shown in the analysis area below the results grid now shows sub-decimal timing calculations, ie. 123.456 ms instead of just 123 ms.

The Wireless Network Interface tool now has more concise explanations of what was found to better conform to industry standard terminology.

The USB version has a change that only affects the USB version: if the host has WinPcap 4.1.2 or 4.1.3 installed on it, the software uses the host's WinPcap instead of the WinPcap Pro that is on the USB. More about this in another blog post soon.

If you have an active maintenance plan, please start NetScanTools Pro, then click on Help/Check for New Version to access either the new v11.52 full install or USB upgrade patch.

Thursday, September 5, 2013

NetScanTools August 2013 Newsletter

The NetScanTools newsletter was published last week and primarily it talks about the website overhaul of http://www.nwpsw.com using Bootstrap. Bootstrap (http://getbootstrap.com/) is an interesting set of CSS and JavaScript templates that allow your site to be viewed equally well in a desktop, mobile or tablet screen format without any changes to your site pages. Gerald Combs (Wireshark) told me about it - he converted Wireshark.org to use it earlier this year.



NetScanTools Basic v2.30 Released

On September 4 we released a minor update to NetScanTools Basic, our freeware entry level NetScanTools product. It is now at v2.30.

This update adds a right click menu to all the results windows giving you a way to copy information to the clipboard, print the results or save them to a text file. It also adds an automatic check for a new release (you can turn this off) and updates the whois server database. Since the whois database uses SQLite, we also updated that to the latest version

How to get v2.30:
If you already have NetScanTools Basic, click on Help/Check for New Version and follow the directions in the embedded web page. Or you can go to http://www.netscantools-basic.com/ and download it directly. Install over the top of any old versions.


Monday, July 29, 2013

NetScanTools Pro v11.51 Released on July 18, 2013

This is the latest release and although it does not include any new tools, it does include new and improve charting (graphics) giving quick access to information about the results of many tools at a glance. For instance, this is the new summary chart for Port Scanner. It summarizes the responding TCP ports into Active Ports, Active Ports returning data, Ports Rejecting a TCP connection and No Response Timeout all in an easy to understand pie chart:

Another new feature is the addition of Trend Line Analysis to the Timing Charts. This shows either a linear trend line or an advance polynomial fitting to the data. You can see the formula too. And print and save to a bitmap. Here is a linear fit to the traceroute hop vs. response time chart:

And now a polynomial fit. You can chose from several trend line polynomial degree fittings.

New Features:

-ARP Scan, Ping Scanner and Port Scanner: New summary pie charts show an overview of the results. This is especially important in large data results (port scanner) situations where you may or may not quickly locate an open port in a long list of port results.

-ARP Ping, Ping - Enhanced, Ping Scanner, Traceroute: The 2 dimensional Timing Charts now have trend line analysis. There are linear line fitting plus a number of polynomial curve fitting options available. The line formula can be optionally shown. Each tool has a button to display the Timing Chart after you have used the tool.


-Packet Flooder: added total data bytes sent to status.

-Manual Tools Left Panel: Duplicate IP Scanner is now in the right alphabetic order.

-SNMP - Core and Advanced: SNMPv3 Context field is now correctly passed in the outgoing SNMPv3 packet. Bulk Repetitions now defaults to 32.

-ARP Cache: renamed Index column to I/F Index (interface index).

-Port Scanner: many internal changes to improve operation when scanning large port ranges. Changes to show rejected TCP connections and more clearly define Closed and Filtered UDP ports.

-Whois: added 16 new Top Level Domains (TLDs) to database.

-Updated SQLite to 3.7.17

-Updated database files.

Managed Switch Port Mapping Tool v2.11 and v2.10 Released in June

This post should have been made in June. The Managed Switch Port Mapper had back-to-back releases in June to add new capabilities. Together they addressed issues with obtaining MAC addresses from the local area network and a significant problem mapping Cisco switches using SNMPv3. You can download a 30 day trial at http://www.SwitchPortMapper.com/

Changes in the two releases:

2.11 June 13, 2013

-SNMPv3 changes affecting Cisco® switches: corrected problem with context field that was not being added to the SNMPv3 queries.

-Documented changes to Cisco switch running-config that are required to use SNMPv3 and get meaningful results.

2.10 June 12, 2013

-Ping Sweep: significant internal changes to address ARP table issue reported in v2.09. These changes vastly improve collection of ARP information for all supported operating systems.

-Minor wording changes to Web Browser Summary Report. Added details about results of Ping Sweep action.

-Review History: it now remembers the last mode (Switch Lists or Manual Mappings) between successive uses of Review History within a session. If you were looking at a Switch Mapping, then come back to look at another, you do not have to reselect the mode again unless you are changing to a different mode.

-Review History: added switch alias column to Manual Switch Mappings view in the 'Switch Lists or Manual Mappings' list.

-Updated SQLite to version 3.7.17

-Updated MAC address/Manufacturer database.

Wednesday, July 10, 2013

Configuring Cisco IOS Switches to work with SNMPv1 or v2c

In order to use Cisco switches with the Managed Switch Port Mapping tool, you need to have at least SNMPv1 or v2c running. You can do this with one line in the running-config.

1. from CLI, type enable followed by enter. You may need to enter a password.
2. switch# config term
3. switch(config)# snmp-server community public ro
^this makes it read only with the community name public, you can add rw at the end for read/write. You can use any community name that makes better sense, but remember that SNMPv1 and SNMPv2c are plaintext packets meaning they can be captured and read in Wireshark or any packet capture tool.
4. switch(config)# end or use CTRL-Z
5. switch# write memory

You should be able to map the switch immediately.

Friday, July 5, 2013

New Training Videos for the Managed Switch Port Mapping Tool

A number of videos have been recently completed explaining in detail procedures and techniques for properly and effectively using the Managed Switch Port Mapping Tool.
  • How to use the USB Switch Port Mapping Tool (basic operating methods also apply to the installed version)
  • Obtaining IP Addresses of Attached Devices using the Managed Switch Port Mapping Tool
  • Exporting Results to a Spreadsheet from the Managed Switch Port Mapping Tool
  • Switch Lists in the Managed Switch Port Mapping Tool
  • Command Line Operation in the Managed Switch Port Mapping Tool
  • Understanding Results from the Managed Switch Port Mapping Tool 
There is a playlist for this set called “Training: Managed Switch Port Mapping Tool” and it can be found here: 
All of our videos are here on our YouTube Channel for both NetScanTools Pro and the Managed Switch Port Mapping Tool:

Configuring Cisco® IOS Switches for use with SNMPv3 and the Managed Switch Port Mapping Tool

Cisco switches are not typically configured for default reading of all the Bridge-MIB information on a per-VLAN basis when using SNMPv3. You can usually see VLAN-1 data without changes, but to see other VLANs, you have to make some changes to running-config.

Cisco uses SNMPv3 'context' to allow retrieval of per-VLAN data from Bridge-MIB (things like device MAC addresses). This is not pre- configured so each switch must have the running-config in the switch changed to report the VLAN details. If the switch is not configured, this software and any other switch mapping software cannot map the switch with SNMPv3. We can map it using SNMPv1 or v2c if allowed without any special config changes.

First, you need to see if your switch supports contexts. From CLI do:

show snmp context

Assuming success – your switch IOS version supports context, check to see if your switch supports prefix matching. In your running config add:

snmp-server group yourV3groupName v3 auth context vlan- match prefix

(don't forget the dash character after vlan)

If it does support prefix matching every Cisco switch using IOS and SNMPv3 that you intend to map must have that command in the config - you can skip the next section - you are done after saving your config.

If it does NOT support prefix matching you have a lot of work to do. Every VLAN must have a context set up for it.

You have to add this command into running config for EVERY VLAN:

snmp-server group yourV3groupName v3 priv context vlan-(vlanid)

So if you have 10 VLANs on the switch, that command must appear 10 times, once for each VLAN (no parens around 'vlanid' and you may want to add 'access #' at the end).

Examples of lines to add to running-config:
snmp-server group yourV3groupName v3 priv context vlan-1
snmp-server group yourV3groupName v3 priv context vlan-6
snmp-server group yourV3groupName v3 priv context vlan-50
snmp-server group yourV3groupName v3 priv context vlan-100

June 2013 NetScanTools Newsletter Ready

This newsletter talks about the two Managed Switch Port Mapper releases that happened in June. The first release 2.10 addresses a problem with the size of the ARP table when you ping scan a subnet while on Windows 8, 7, Vista or 2012/2008. The second release 2.11 fixed a problem using SNMPv3 on Cisco switches. One part of the problem had to do with the Context field and the other part had to do with the required changes to running-config in order to map the switch.

I go into detail the changes to IOS based Cisco switches that are required to map them when communicating with SNMPv3.  Mapping a Cisco switch with SNMPv1 or SNMPv2c is pretty easy, running-config on requires the command snmp-server community public to allow mapping the switch with the community name of public. But SNMPv3 requires more than that, specifically contexts have to be supported and ideally prefix matching. The details will be posted in another blog post.

A third major new topic in the newsletter are the new training video series - a full hour of videos that cover using Managed Switch Port Mapper v2.x. Some new NetScanTools Pro videos were also added. Please visit this link for the training video playlist:


This link goes to the NetScanTools Channel on YouTube:

The final topic is a reminder about the release of NetScanTools Pro version 11.50 in May. The two new tools are the Duplicate IP Scanner and Firewall Rules Tool. A visible new addition to Ping, Ping Scan, ARP Ping and Traceroute are the new timing charts showing times. You can print or save the charts as images.

Look for a new release of NetScanTools Pro in July and another release of the Managed Switch Port Mapping Tool too.

Tuesday, June 4, 2013

NetScanTools May Newsletter

This newsletter was published last week and it talks about the latest releases of NetScanTools Pro and the Managed Switch Port Mapping Tool.



Thursday, May 23, 2013

ARP Cache Behavior in Windows 8, 7 and Vista

This post applies to Windows 8, 7, Vista, 2012 and 2008.

If you depend on Ping Scanning to populate your Windows system ARP Cache, you may be in for a surprise. While Pinging a large number of local subnet IPs may populate your ARP cache, you may be surprised find that there are now limits in the size of the cache. In fact the cache size might be much smaller than you think.

When you Ping or send any IP packet for that matter to an IP address, the operating system checks the ARP cache to see if there is a MAC address for that IP. If it cannot find the IP, it sends an ARP request to the target IP whether in it's your subnet or not. If the target IP is in your subnet, the device responds with an ARP reply so that communication can begin on the MAC address level. That ARP reply contains an IP/MAC address pair that gets added to your ARP cache. If the IP is outside your subnet, the ARP reply comes from the default gateway and that IP/MAC pair gets added to the ARP cache.

We recently had a user move his Managed Switch Port Mapping Tool from Windows XP to Windows 7. He emailed to ask why he saw MAC Addresses but very few IP addresses. After much research we found that the ARP cache is no longer managed the way it was in XP and now defaults to a tiny 256 entry cache. And, what's more, the user found that his company had set the ARP cache to 10 IP/MAC addresses.

How to find out what your ARP cache size is now:
1. open a command prompt
2. enter this command and press Enter:
netsh interface ipv4 show global
3. make note of the Neighbor Cache Limit (second from the top). On this system it is 256 entries per interface.

While 256 may be enough for normal users, if you are ping scanning an IP range larger than 256 devices (like in a 10.x.x.x network) and expecting to see more results, you won't see them. In fact, our user was only seeing 10 because his company had set it at 10.

The good news is you can set your ARP cache size limit to a much larger number - here's how:
1. open an administrator command prompt
2. enter this command and press Enter:
netsh interface ipv4 set global neighborcachelimit = 4096

Want to learn more? Please visit http://support.microsoft.com/kb/949589


Wednesday, April 24, 2013

SQLite Discussion - Sorting Order: TEXT vs NUMBER

One of our customers noticed a problem with our Switch List Editor in the Managed Switch Port Mapping Tool. The list ordering relies on a column in a table that we'll call ListIndex. The DDL for the table had defined the column as [ListIndex] TEXT. The index being saved in the column was the numbers zero through however many rows there are for that set of entries (this is not the main constraint column, just an indexing column within a set of rows).

If you did:

'SELECT * FROM theTable WHERE mainConstraintCol='rowSet' ORDER BY ListIndex ASC'

we expected to get a set of rows indexed 0, 1, 2, 3, 4 etc. in that order. That worked fine until there were more than 10 entries in a set of rows. Then the sorting would be 0, 1, 10, 11, 12, 13, 14, 2, 3, 4, 5, 6, 7, 8, 9. Obviously it is the creect sorting if the column is of type TEXT, but wrong since we are interested in the numbers themselves.

The solution was to change the DDL to this: [ListIndex] NUMBER (or INTEGER). That way the ORDER BY sorting ends up correctly in numeric order for lists larger than 10: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, etc.

Changing the DDL works OK if you are creating the table every time, but this table is persistent between application sessions. Because SQLite (to my knowledge) has no ALTER TABLE method for changing an existing table DDL Type from TEXT to NUMBER, I had to do the create temp table, copy contents from original, DROP the original table and recreate it correctly, then copy the temp table contents back to the original. A pain, but functional method. I would be interested in any other simpler methods.

Moral of this story is to be sure of your column typing when you define a table in SQLite especially if you are depending on the contents of that column to index something else.

SQLite: www.sqlite.org
Managed Switch Port Mapping Tool: www.SwitchPortMapper.com

Switch Port Mapper 2.07 Released

The latest version 2.07 of the Managed Switch Port Mapping Tool was released on April 22, 2013. The purpose of this release was to correct a problem with Switch Lists, more specifically the Switch List editor and the execution engine. The issue only was apparent when you had more than 9 switches in a list. If you had 10 or more, the sort order of the switches in the editor and the execution engine was like this: 0, 1, 10, 11, 12, 2, 3, 4, 5 etc. instead of 0, 1, 2, 3, 4, 5 etc.

As a result of working with the Switch List Editor, I discovered it was saving to the database fairly inefficiently (slowly), so I made some changes to speed that up and so it is much faster now when you press the OK button to close the editor.

It was suggested by a user that we include a method for copying a whole results grid row to the clipboard and that was added, however, it may not appear quite as you expect because if there are more than one MAC address in a cell, a CR-LF is added to the copied text for each one.

As usual, we keep updating SQLite DLL to match the latest version and the MAC Address to Manufacturer database was also updated.

Get it at www.SwitchPortMapper.com or follow the instructions in Help/Check for Update.

Thursday, April 11, 2013

USB Version of the Managed Switch Port Mapper

We have offered NetScanTools Pro as a fully portable application running from a USB Flash Drive since 2006 and now the Managed Switch Port Mapping Tool has joined it.

The Switch Port Mapper can now run from a USB Flash Drive using a special compiled version. It retains all the same features as the 'installed' version yet now is fully portable so that you can run it on any Windows XP or later machine that offers a USB 2.0 or 3.0 port. Simply plug in the flash drive, navigate to the executable and start it. And it doesn't require 'Run as administrator'!

We are shipping it on a fast USB 3.0 (compatible with USB 2.0) 16 GB flash drive and for those who already have their own fast flash drive, we can supply a fileset that you can put on it yourself with assistance from our tech support.

The advantages of having the Switch Port Mapper on a USB Flash Drive - not requiring installation - are immense. Network Techs can take it to offsite locations and quickly map a switch.

As far as we know, we are the ONLY company offering Switch Port Mapping software both as fully portable USB flash drive software and as installed on a Windows computer.



Packet Generator Scripting Improvements

NetScanTools Pro v11.42 introduced two major improvements to the Packet Generator scripting:

The first is a 'debugging' window. This new window, located below the main controls on the Packet Generator page serves the primary purpose of showing the command processing during scripting - if you have Enable Script Debugging Messages checked. The other purpose for it is to show certain errors when they occur.

The second improvement is the addition of five new packet reset commands. These commands are intended to be used just prior to modifying packet parameters followed by sending the packets. They reset the TCP, UDP, ICMP, CDP and ARP packet headers to known states - primarily zero. The commands are:
!TCP_RESET_PACKET - resets the TCP header
!UDP_RESET_PACKET - resets the UDP header
!ICMP_RESET_PACKET - resets the ICMP header
!CDP_RESET_PACKET - resets the CDP header and presets some fields to non-zero values
!ARP_RESET_PACKET - resets the ARP header and presets some fields to non-zero values

This is detailed in the Help file (press F1 while viewing the Packet Generator) under the topic Packet Generator - Scripting.

Be sure to use these before defining header parameters and sending packets.

WinPcap 4.1.3 for Windows 8

As you may already be aware, the folks at winpcap.org finally did an upgrade to the WinPcap driver. Version 4.1.3 supports Windows 8 - in other words the installer will not balk at Win 8 like the 4.1.2. installer did. And they did a couple of minor bug fixes in the process.

So if you have Wireshark or NetScanTools Pro and want to use them on Windows 8, please visit http://www.winpcap.org/ to get 4.1.3.

Monday, March 25, 2013

NetScanTools Pro v11.42 Released

NetScanTools Pro v11.42 was released on March 14, 2012 and includes the packet generator scripting improvements along with a few other minor changes. There was one change that was also quite important: the inclusion of the newest WinPcap 4.1.3 release. This version of WinPcap formally supports Windows 8.

These changes were also put into the most recent demo version posted on March 25.

Tuesday, March 5, 2013

Packet Generator Scripting Tips

After a recent tech support exchange, I felt that I should add a few more tips about using the NetScanTools Pro Packet Generator in scripting mode.

It's important to note that parameters or values shown on the main Packet Generator window can be overridden by script commands. In other words, the values shown, like Time To Live will be used in the packet unless you override the parameter with the TTL=64 command.

And more importantly there are a few parameters that you should override to be sure the packet you are sending is correctly sent. Those are the values and settings shown in the packet definition windows that appear when you press Send Now, no scripting.

For example when using a script to send UDP packets, you must specify source and destination ports, whether or not to override the UDP Length and Checksum with their corresponding values and the data payload you wish to send. So for UDP, you need to use these commands prior to doing a SEND directive - don't rely on defaults because there are none:

if 1, then specify UDP_OVERRIDE_LENGTH_VALUE
if UDP_DATAFROMFILE is 1, then set UDP_DATAFILEPATH to the fully qualified exact path of your data file you want sent. If UDP_DATAFROMFILE is 0, then you must specify UDP_DATA.

These values you set will remain during the running of the script. So if you need to change just one or two parameters, you do not have to change them all.

Sending a TCP packet requires even more default values.
Header flags:
TCP_FIN=0 or 1
TCP_SYN=0 or 1
TCP_RST=0 or 1
TCP_PSH=0 or 1
TCP_ACK=0 or 1
TCP_URG=0 or 1
TCP_ECN=0 or 1
TCP_CWR=0 or 1
Header Fields:
if TCP_DATAFROMFILE is 1, then set TCP_DATAFILEPATH to the fully qualified exact path of your data file you want sent. If TCP_DATAFROMFILE is 0, then you must specify TCP_DATA.

All of the above values are fully documented in the help file. Press the F1 key while viewing the Packet Generator Tool or click on Help/Help Topics. Then navigate to Manual Tools > Packet Generator > Packet Generator Scripting. Expand the 'Setting Parameters' grouping to see the parameters and their required values.

Like I said earlier, you only need to set each of these once in your script then send the packet(s), then change only the parameters you need to change before sending the next packet.

This applies to the other types of packets that can be sent. Reminder: You may need to disable your firewall for the packets to actually be sent. Use Wireshark or our Packet Capture tool to verify that you are sending them.

Coming in v11.42 - a way to see errors and debug scripts.

NetScanTools Pro 11.41 Released

The latest version of NetScanTools Pro was released on February 18, 2013. Version 11.41 is a minor version with many important fixes but no new tools. New tools are planned for v11.50.

We will be releasing v11.42 shortly to fix some issues with the Network Connections tool when used on a version of Windows without IPv6 and to better assist in debugging scripting in the Packet Generator.

v11.41 Changes:

-Registration Reminder Window: cleaned up and reduced visual clutter.

-Startup warning note added on the Welcome window if a default system DNS IPv4 address matches the IPv4 address of a default gateway.

-SSL Certificate Scanner: modified certificate signing bits column and added signature type column. If MD5 is seen, the signature type is shown in red.

-ARP Cache tool now properly shows the cache on Windows 8.

-Network Neighbors: Physical Address for Teredo now shows up properly on Windows 8.

-DNS Tools - Core: Simple Query - IPv6 will resolve and show IPv6 addresses for hostnames even if IPv6 is not properly configured in the operating system.

-Ping and Traceroute: hostnames will now resolve and show IPv6 addresses even if IPv6 is not properly configured in the operating system.

-IPv6/Show IPv6 Compatible Interfaces: results area redesigned and now shows multiple global IPv6 addresses. Instant searching on a column basis has been implemented. New right click menu with more export options.

-SMTP Server Tests: added results window so that the test results/log files are immediately shown after you send a test message or do a relay test.

-Updated SQLite to

-Updated database files.

Managed Switch Port Mapping Tool v2.06 Released

Yesterday, March 4, we released the latest version of the Managed Switch Port Mapping Tool, v2.06. It is a very minor release that adds support for full conversion of earlier database table formats to the latest version all the way back to v1.00. It also has a command line preset button for using ExtraPuTTY in Global Settings. The mac address to manufacturer database has been updated.

Please visit http://www.SwitchPortMapper.com/

Tuesday, February 12, 2013

SQLite INSERT OR REPLACE without a constraint

I learned something new yesterday while working on a simple four column table that keeps a list of the favorite tools in NetScanTools Pro. This table was set up without a constraint meaning there is nothing stopping us from inserting a row that is identical to a current row. Here is the DDL for the table:

CREATE TABLE [favorites] (
[col1] NUMBER,
[col2] TEXT,
[col3] NUMBER,
[col4] NUMBER);

As you can see - no constraints.

While working with the right click menu that adds a tool to NetScanTools Pro I discovered that it was adding the same row twice. I was using an INSERT INTO favorites... SQL command. So I thought I would get rid of the duplicates by using INSERT OR REPLACE INTO favorites. Wrong.

What I didn't know/remember was that the OR REPLACE means to replace the rows that are causing a constraint violation. Since there is no constraint, there is no constraint violation meaning the OR REPLACE clause does nothing and multiple identical rows can still be inserted.

An obvious solution is to change the table and add a constraint like this:

CREATE TABLE [favorites] (
[col1] NUMBER,
[col2] TEXT,
[col3] NUMBER,
[col4] NUMBER,

But to do so in an installed base of software in the hands of customers would require changes: ie. copying the existing table, deleting the old table and recreating it with the constraint. Plus it would require checking every time the program is started to make sure it had been done or some other versioning method would have to be used. Lots of details.

I arrived at a different solution using a TRIGGER to remove duplicate rows before the INSERT happens. This requires no changes to the design of the table and does not require changing anything in the user's database. This statement creates a TEMPORARY TRIGGER if it does not already exist and does this before an INSERT happens. It deletes any rows that match 'new' col1, then does the INSERT.

ON favorites
DELETE FROM favorites WHERE new.col1= col1;

Pretty simple and appears to get the job done without modifying the original table. TRIGGERS are very powerful and I will probably be using more of them in the future - but using them with care.

Thanks to Bogdan Ureche for help in understanding what was going on with INSERT OR REPLACE without a corresponding CONSTRAINT.


NetScanTools in Hacking for Dummies 4th Edition

Kevin Beaver wrote Hacking for Dummies and he has just completed the 4th edition. It's a well written comprehensive book on Ethical Hacking. He talks about hacking network hosts, operating systems, applications (communications, databases and websites), password cracking all from the perspective of a security consultant with permission to find the weaknesses in the targets. This can help you understand the dangers your computers or your business systems face from malicious hackers.

NetScanTools Pro is one of the tools he uses to demonstrate how you can assess vulnerabilities. While NetScanTools Pro is not designed as a hacking tool, it does have some tools that you can use to test for vulnerabilities.

Examples used in the book from NetScanTools Pro:

Using Ping Scanner to ping multiple IP addresses to find out what hosts are accessible.
Finding open ports with Port Scanner like the port 53 DNS, NetBIOS port 139, and SQL Server port 1434.
Scanning SNMP or dumping whole system's MIB trees using our SNMP tools.
Using the UDP Packet Flooder as a DoS testing tool.
Windows share enumeration using our Network Shares - SMB tool.
SMTP Relay Testing.

Get the book at dummies.com. ISBN 978-1-118-38093-2

Tuesday, February 5, 2013

NetScanTools LE 1.51 Released

NetScanTools LE was updated to ensure Windows 8 compatibility. Some minor user interface changes were made, documents and databases updated. Whois now has better support for looking up IPv6 addresses.

Please visit http://www.netscantools-le.com/ for more information.

Thursday, January 31, 2013

January NetScanTools Newsletter Ready

The January edition of the NetScanTools Newsletter is ready. Topics include version app release announcements and how to effectively use the Ping Sweep function of the Managed Switch Port Mapping Tool on a large subnet.

Also a preview of what we are working on for NetScanTools Pro 11.5...


Thursday, January 24, 2013

End of January Sale

End of January sale. Use the coupon jan2013 to get 25% off NetScanTools Pro bundled with the Managed Switch Port Mapping Tool or just the Managed Switch Port Mapping Tool now through Sunday January 27, 2013:

NetScanTools Pro/Managed Switch Port Mapping Tool Bundle:

Managed Switch Port Mapping Tool only:

Wednesday, January 9, 2013

New SSL Certificate Scanner on video

NetScanTools Pro v11.40 now includes a new tool called the SSL Certificate Scanner. Use it to collect and verify the expiration status of SSL certificates on a list of https secure web servers. Here is a video overview of the tool.

How to save XML results files from Switch Lists

This question has come up frequently from people who are using Managed Switch Port Mapping Tool v2.x in Switch List mode (this mode means two or more switches are mapped in succession).

To make individual XML files for each switch as it goes, go to the Switch List Editor and make sure 'save switch results as xml files after each switch mapping' is checked. This setting is different for each separate switch list and should be on by default.

Next, change your command line to:
spmap.exe -maplist TheSwitchListName -postexit

This tells the app to map the named list and exit when complete.

Here is the part people have a problem with: The files will be saved to either My Documents or the last used directory you saved XML files to from the menu.

You can override the path manually by mapping any switch or reloading results from history, then right click and select Export XML. Save the results to the directory you want everything to go to. When you run the switch list, it will save in that last location.

The XML filenames will have the format:

Please be aware that the command line option  -xml D:\switch.xml only works for a single switch.

This will be documented more fully in a subsequent release. You can get the application at http://www.SwitchPortMapper.com/

Monday, January 7, 2013

NetScanTools Pro v11.40 Released

NetScanTools Pro v11.40 was released on December 28, 2012 and is ready for download now.

It adds a new tool called the SSL Certificate Scanner. This tool takes a list of https enabled websites as input and it retrieves the SSL certificate from each site's web server for your review. It will tell you if a certificate has expired. It also checks the server to see if it allows weak SSLv2 connections. It shows you the current connection bits too.

Many other changes were made to the program. Several user interface related things were done such as slightly increasing the height of all buttons. There is now a way to right click and remove a tool from the Favorites control bar.

IPv6: each release brings more IPv6 functionality and we added display of IPv6 TCP and UDP listening ports and connections to the Network Connection Endpoints tool. Just like with IPv4, it shows the IPv6 addresses and port numbers.

Port Scanner has been improved. It now displays a combined report showing all scanned port status when you are scanning multiple targets. There are also new right click menu options.

There will be a separate post detailing the SSL Certificate Scanner soon.

If you have an active maintenance plan, please download v11.40 today.