Friday, February 9, 2018

NetScanTools Pro 11.84 Released Jan 25, 2018

The big news about release 11.84 is SMB Scanning. Back in May 2017 during Wannacry we had several people check out the Network Shares - SMB tool and ask if it scanned specific devices by IP address. It does not really do that since it uses only NetBIOS, so I set about to make a tool that does these things:
  1. connect to NetBIOS Name Service and grab the 'Windows computer name' and MAC address.
  2. connect to SMB port and test the SMB service for supported versions. Every supported version is shown.
  3. show latency.
  4. do this for a list of IPv4 addresses or hostnames. IPv6 will be added in a later version.

Here is an animated GIF showing the new SMB Scanner in action:

You can use the SMB Scanner Tool to see supported SMB versions and check for vulnerabilities based on those supported versions. It identifies SMB 1.0 support in red because we already know it is compromised. More about the SMB Scanner.

IPv6 improvements
Another important addition is the new multicast Ping button that helps you discover IPv6 neighbors in the Network Neighbors tool. What this button does is ping the link local multicast address and this forces neighbor discovery to happen. The results are then updated after 10 seconds showing all responding link local IPv6 neighbors.

How to get NetScanTools Pro 11.84
If you already have an active maintenance plan for NetScanTools Pro, click on Help/Check for New Version to login and download the full installer.

Friday, November 10, 2017

Managed Switch Port Mapping Tool v2.78 Released November 8, 2017

This release has one new function that has been requested by our users many times: the ability to export the results of a Switch List mapping to XML for easy opening in Microsoft Excel. Here is what it looks like when opened with Excel.

After mapping a Switch List, go to Review History, then select the Switch List and press Export Selected Switch List to XML.

While we are looking at Review History, another thing added in this release was searching of LLDP and CDP fields. See it below.

Those are two of the more important changes in v2.78. Here are all the changes. Download v2.78 from

-New XML export option for Switch Lists from Review History. When the XML export is opened in Microsoft Excel, each switch results appear as a separate sheet. Each row in a multi-row port (ports with more than one mac address) are shown as separate rows in the XML output. Export progress is now shown on the bottom status bar.
-Review History/Searching now has selections for searching LLDP and CDP for text strings. Searching now defaults to 'Contains' if no options are selected and the search results shown in the right hand list are a bit wider. Search results are now shown in descending order - newest at the top. 'RecNo' in the two lists have been changed to 'No.".
-Corrected reporting of Switch Operational State for Extreme Networks switches.
-Corrected and removed '00 00' showing in Interface Alias column for Force10 switches.
-Warning is now shown if 10SCAPE export does find LLDP data for the switches. Switches with no reported LLDP data are shown. Export progress is now shown on the bottom status bar.
-Added new right click menu option to clear both the results grid and the Switch Info left control panel window.
-Improved parsing of MAC and IP addresses from LLDP data.
-Added Interface Manufacturer derived from remote MAC address in LLDP.
-Moved four tables from spmap database to working database.
-Updated SQLite to version 3.21.0

-Updated MAC address/Manufacturer database.

Wednesday, September 20, 2017

NetScanTools Pro 11.83 Released September 15, 2017

This release improves the user experience in several areas and the UI is less cluttered.

Back when we started adding tools that depended on WinPcap, a computer typically had one interface that WinPcap could use for receiving or sending packets. That has all changed. VPNs, Virtual Machines and secondary network interfaces can all potentially add WinPcap compatible interfaces and those interfaces all show up in the WinPcap Interface dropdown list. The problem is that prior to v11.83 you had to select the right WinPcap compatible interface or the tool did not work right and you saw a message to select the correct interface. What v11.83 brings is automatic selection of the interface based on the input you give. This applies to a number of tools in NetScanTools Pro like ARP Scanner, Ping, Traceroute and others. You will still have to select the correct interface in many of the separately launched tools like Packet Capture or Passive Discovery because those tools are listening tools rather than 'packet sending/listening' tools.

Over the past few years typical monitor sizes (pixels HxW) has radically increased. We originally designed NetScanTools Pro to accommodate monitors as low as 800x600 but I personally use a pair of 1920x1080 monitors. I reviewed our web traffic on Google Analytics and found that nobody is using 800x600 or even 1024x768 so this new version of NetScanTools Pro expands the layout of the buttons and other controls on the right side and spreads them out as a first step towards reducing clutter.

Another annoyance was the 169.254.x.x popup message that appeared on startup, usually if you had Npcap installed instead of WinPcap. The message is gone and 169.254.x.x interfaces are not included in any tool (except those that show interfaces) since they are auto-assigned IP addresses from the operating system and actually not functional.

Many other changes and they are listed below. If you have an active maintenance plan you can download 11.83 through the Help menu/Check for New Version.

The list of changes.

-Usability improvement: Tools that depend on selecting the right WinPcap compatible interface now automatically select the interface based on the target entered. This includes ARP Ping, ARP Scanner, DHCP Server Discovery, Duplicate IP Detection, OS Fingerprinting, Ping - Enhanced, Port Scanner, Promiscuous Mode Scanner, and Traceroute. 'Launched' monitoring tools still require you to select the interface to monitor.

-Reports now have expanded information regarding the settings used for these tools (most are in the 'Notes' section of the report): Packet Flooder, Ping - Enhanced, Ping Scanner, Port Scanner, and Traceroute.

-DHCP Server Discovery now times out quicker if the local port 68 is in use and any network adapters with the IP starting with 169.254.x.x are not shown in the list because they are inactive.

-Maintenance Plan Expiration and other startup messages that appear before the main window is active are now force to appear as the topmost window. This stops the problem of starting NetScanTools Pro and not seeing anything because a startup message window was behind another window.

-Ping Scanner now includes a right click menu option to use your web browser to connect with the selected IP address.

-Fixed minor memory leak in Network Interfaces and Statistics.

-Removed startup message about 169.254.x.x interfaces which shows up more frequently if Npcap is installed instead of WinPcap.

-Began the first steps of a UI improvement by expanding the area used by the tools in the right hand panel. Our research shows that most displays are now wide enough for us to de-clutter the right hand side by making it wider and moving controls.

-Ping: changed the default header acknowledgment field value to 0.

-Traceroute: added header acknowledgment field as a user defined field in Settings.

-SSL Certificate Scanner: Added parsing of Subject Alternative Name (SAN) fields. Shown in the certificate chain. Previous retrievals of SSL certificates are noted in the grid when you edit or start the software. Right click to access the certificate chain. Added more parsing of signature algorithms so OIDs will be less likely to show up.

-Graphical Traceroute: Added Reset Statistics button.

-SNMP and SNMP Advanced: default bulk reps is now 8. Suggest lowering to 8 if you are using SNMPv2c or SNMPv3.

-USB Version Only: startup on a host running Npcap now works correctly.

-Updated SQLite to version 3.20.1

-Updated MAC address/Manufacturer database.

-Updated IP to Country database.

-Updated dates in all subprograms to 2017.

Tuesday, September 5, 2017

Managed Switch Port Mapping Tools v2.77.1 released August 30, 2017

Version 2.77.1 followed closely behind the release of 2.77. This minor release adds serial and model retrieval from Adtran switches. It also fixes some minor issues with importing devices from a text file in Switch List editor. SQLite was updated as well.

Version 2.77 was a huge release.

Managed Switch Port Mapping Tool v2.77 adds several features to enhance the user experience plus new features including one that has been requested a number of times for several years.

One of the most requested features (for years) is this: a way to compare two mappings of the same switch to see what has changed. It is now there under Review History (left control panel):

Select at mapping from the left list, then select one from the right list. Press ‘Show Added & Removed’ to see a list of what is present only in the first mapping (green) and the second mapping (blue) as shown below.

To see a list of devices moved from one port to another between mappings, press Show Moved. The final port that the device was moved to is shown in the list.

Another major addition is the ‘Test’ button. You can find it in the device settings. It give you a way to see if the device (switch or router or other) can be pinged and communicated with using the SNMP settings you have entered. See below:

Do you have Juniper, Ubiquiti and Force10 switches? We improved support for those switches and we even found that some models of Adtran switches can be mapped – but not all.

Full list of changes in this revision.

2.77 August 18, 2017

-Added button in Review History for comparing and displaying the differences between two mappings of the same switch at different times. One selection shows the difference between information present on the first switch mapping vs the second switch mapping. The other selection shows movement of a device from one port to a new port. The results of the comparisons may be saved/exported/printed.

-Added Test button to Device Settings. Use it to verify the device is reachable with Ping and verify your SNMP settings are correct. It also can tell you if it is a switch or a different kind of SNMP enabled device.

-The target switch is now tested near the start of the mapping to see if it really is a switch, if not a 'do you want to continue' question is asked.

-Additional sources of warning messages during SNMP single parameter retrievals were identified and the warning suppressed. The warnings were sometimes interpreted by users as errors and slowed the mapping process.

-New Command Line option (-txt) to save the results of a mapping to a hybrid tab/CSV delimited text file. Columns are represented by tabs and rows within a multi-row cell are represented by commas.

-Improved export to 10SCAPE. If required columns are missing, a warning is now shown at export.

-Column Order and Visibility Editor: the 10SCAPE defaults button now turns off the Ping Sweep warning (see Global Settings to reactivate it).

-Global Settings: the Display Ping Sweep Not Configured warning message is now disabled by default.

-Global Settings: when switch group specific settings (like MAC limit per port) are changed, the changes are now saved to the currently shown left panel switch group.

-Switch List Editor: show final report and show individual reports are now unchecked by default.

-Framework: menu and toolbar are now fixed in place and not dockable.

-Framework: top titlebar is now correctly updated to show the switch info when the mapping is complete.

-Juniper, Force10 and Ubiquiti switches are now processed correctly and manufacturer specific details are now retrieved.

-Some models of Adtran switches are now supported.

-Juniper switches now show the vlan name, internal vlan number and vlan tag as follows with the tag in curly braces: MYVLAN(5){100}. Other switch brands will continue to show MYLAN(5) or 5 where 5 is the vlan number.

-In order to speed up the switch list mapping process, the column widths are no longer automatically resized in list mode.

-VLAN identification for older 3COM switches was improved.

-Improvements to data shown in vlan columns.

-Fixed SQL syntax problem in lldpLocChassisId when subtypes 1-7 are present.

-Fixed usability problem with device settings editor where selections from existing community names would not appear to 'stick'.

-Fixed XML export where switch information is added in the left column.

-Added System Description to CDP data.

-New information added to SNMP Error Report.

-Changed Review History icon.

-Updated SQLite to version 3.20.0

-Updated MAC address/Manufacturer database.

Download the ‘installed’ version 2.77 from and install it over the top of your current installed version.

USB version users need to use the Help Menu/Check for Update selection to obtain the upgrade patch.

Wednesday, January 25, 2017 website major revision under way

You may have noticed that is being revised. Slowly. One or more pages a day. It started in late December 2016.

It's being changed from an ancient Frontpage template with annoying flash into a modern Bootstrap based website. We are actually using the Unify template from wrapbootstrap. The nice part about Bootstrap is that it automatically sizes to meet the browser viewport. What this means is that there is only one set of webpages viewable equally well on mobile and the desktop.

Here are a few example pages:

I hope you like the new look!

Thursday, August 11, 2016

GetBestRoute bug in Windows 10 Anniversary Release 1607

After upgrading to Windows 10 Anniversary Release 1607 on August 6, 2016, I noticed something strange happening with ARP Scanning Tool and I traced it to an intermittent problem in the IpHlpApi function GetBestRoute.

When the computer is first booted, GetBestRoute works normally as it has in NetScanTools Pro for years and as it has on other Windows operating systems. I am using it to determine if an IPv4 address can be reached LOCALLY without going through the Default Gateway. Operating System specifics:  64 bit OS build 14393.51, only one ethernet wired 1GB network interface connected to an IPv4 network. Compiled as a 32 bit application using VC++ 2012.

Code snippet:

memset(&IPForwardRow, 0, sizeof(IPForwardRow));

DWORD dwResult = GetBestRoute(targetIPAddress, outgoingIf, &IPForwardRow);

// note the fail on getting non-local route
if(dwResult == NO_ERROR && IPForwardRow.dwForwardType != MIB_IPROUTE_TYPE_DIRECT)
 // note the failure with a popup stating that the route is not local,
 // ie. not on the same subnet or local network segment

Problem statement: if you pass in ANY targetIPAddress between and and outgoing interface is on your computer, it should come back with MIB_IPROUTE_TYPE_DIRECT. This is the normal way it works. Here is a view of the contents of the IPForwardRow structure as it should appear with and as the interface ( is the default gateway).

You can see the dwForwardDest is populate correctly as is dwForwardMask and the ForwardType is direct as expected.

But for any other IPv4 address through, you get this with empty dwForwardDest and dwForwardMask with the route type INCORRECTLY shown as MIB_IPROUTE_TYPE_INDIRECT.

Obviously something was broken in this new Windows 10 release. It is intermittent but once it goes into this failure mode, it stays in the failure mode until the computer is rebooted. I do not know what the trigger is.

I have fixed it by writing my own GetBestRoute equivalent - but I should not have to do that. Microsoft PLEASE FIX this ASAP!

NetScanTools Pro v11.80 released Aug 4, 2016

NetScanTools Pro 11.80 was released on Aug 4, 2016. This version was completely compiled on Windows 10 and is dual code-signed with both SHA256 and SHA1.

We added a new IPv6 Route Tool that displays the routes and many other properties.

There are many changes and the most obvious change is in the way WinPcap compatible interfaces are shown and selected. Tools that use WinPcap now have a much more verbose description of the interface, not just the IPv4 address shown before. Previously, users would occasionally run into problems where the IPv4 address shown in the dropdown list was not able to be opened even though WinPcap says it was compatible with it. The way the interfaces are opened based on the selection was significantly changed internally so there should be less chance of problems.

The Real Time Blacklist Check tool was changed from a text based single threaded (one after the other) output to a grid based output with multithreading. In other words, in v11.80 many RBL servers are queried simultaneously for the presence of the mail server IPv4 address in their databases.

SNMP tools now support SNMPv3 without the enduser having to go obtain libeay32.dll. We have an Encryption Registration Number and the software is ECCN 5D992.c.

The SNMP Scanner and SNMP Dictionary Attack Tools were worked on extensively to fix problems that happened if you sorted a column with scanning (no longer allowed) and also problems with the XML Excel Schema. Side note - if you are using Excel, don't 'import' the XML file, simply 'open' it just like any other Excel file.

Here are the specific changes:
-Compiled on Windows 10.
-New Tool: IPv6 Routing Table.
-Significant change to the way WinPcap compatible interfaces are listed and chosen. Layout of some tools had to change to support longer selection box.Opening and using a WinPcap network interface no longer depends on matching the IPv4 address.
-We now test to verify that the official WinPcap service or the alternative npcap or Win10Pcap services are running.
-Realtime Black List Check tool completely rewritten with new user interface and it is now multithreaded for increased speed.
-SNMP Core and Advanced tools now have simplified SNMPv3 options. SNMP DLL now has libeay32.dll added and SNMP Library Manager was removed. ECCN 5D992.c
-SNMP Scanner, SNMP Dictionary Attack and Protected Storage Viewer have updated grid controls and are now prevented from sorting by clicking on the column header while the tool is working. Exporting with Microsoft Excel schema has been updated - simply 'open' the XML file from Excel (do not import it). SNMP v1+v2c setting is now properly saved.
-ARP based tools now confirm that the target IPv4 addresses are within the same subnet as the chosen WinPcap interface.
-ARP Scan now automatically sorts by the IP address column when complete.
-Whois changed so that if whois server does not respond, it times out and automatically stops.
-Assigned IPv6 Teredo server is shown in IPv6 Compatible Interfaces.
-Corrected privilege problems with writing to certain parts of the registry during registration process.
-Updated SQLite to version 3.13.0
-Updated MAC address/Manufacturer database.
-Updated IP to Country database.
-Code signing now uses both SHA256 and SHA1 for maximum operating system portability.