Thursday, August 28, 2014

NetScanTools Pro v11.62 Released August 15, 2014

This release added the new IPv6 Syntax Validation tool (thanks go to Jeff Carrell for all his help!), consolidated the currently IPv6 capable tools into one menu bar link and addressed the way the top and left panel menus look on High-DPI displays (3200x1800).

It also added the ability to properly send packets to IPv4 multicast addresses when WinPcap is used to send the packets. Prior software versions did not use the correct destination mac address. And now you can also use new scripting commands to specify the source and destination mac addresses in Packet Generator.

One important fix was a change to the way responding ARP packets are processed in the ARP Scanner and Duplicate IP Scanner tools: it now only processes packets with IP addresses corresponding to the allowed range that you specified. Prior versions would show IPv4 addresses outside the range giving uncertain or hard to interpret results.

If you have an active maintenance plan, please click on Help/Check for New Version to download the full install or USB upgrade patch.

Switch Port Mapper Tip

Applies to all v1.x through 2.34:

If you use the menu item Settings and Tools/Column Order and Visibility Editor to add/remove columns or change where they appear, be sure to keep the Interface Index (ifIndex) column visible.

In other words, if you remove the ifIndex column some other columns may not show data you expect to see. The next release will not allow you to remove the ifIndex column.

Monday, June 2, 2014

How to start NetScanTools Pro USB version 11

We are changing our recommendations for starting NetScanTools Pro v11 USB version. These recommendations apply to Windows Vista, 7 and 8.x.

First recommendation:
Located in the root directory above /nstpro is a file called nstprolaunch.exe. We no longer recommend using it to start NetScanTools Pro - do not use it because the privileges you launch it with may not be correctly passed along to NetScanTools Pro.

There are two recommended ways to start NetScanTools Pro v11.x:

1. If you have WinPcap 4.1.3 (or newer) installed on your host computer, please locate and double click on nstpro.exe which is in the /nstpro directory on the USB drive.

2. If WinPcap 4.x is NOT installed on the host computer, please locate and right click on nstpro.exe, then select 'Run as administrator'. nstpro.exe is located in the /nstpro directory on the USB drive. This will use an older version 4.1.2 of WinPcap Pro located on the USB drive. We recommend going to and installing 4.1.3.

Discussion: if you use nstprolaunch.exe, you may see error messages that say "Error: unable to locate a supported network interface. WinPcap may not be operating... PacketGetAdapterNames: Incorrect function. (1)"

We are moving toward requiring installation of WinPcap 4.1.3 on hosts that you intend to use NetScanTools Pro USB Version just like Wireshark requires WinPcap to be installed.

Friday, May 30, 2014

My take on the Truecrypt situation

I've used Truecrypt a fair amount in the past, but never to encrypt a whole drive. I've used it to store private things in an unmarked file before. I know there is wild speculation about what may have happened and the end of life of Windows XP seems like a convenient excuse. I lean more towards the developer(s) getting tired of it and wanting to move on. After all it's been out for 10 years and they are not getting paid for it.

But there are strange things happening - like the endorsement of bitlocker. Even more strange is the wayback machine people excluding from their database. Here's what you see:


This URL has been excluded from the Wayback Machine.

Why should Wayback care about a site like unless someone told them to erase it or are they simply being overloaded with too many queries? Just a thought.

There are calls to fork the development. Legal issues with a fork aside, this effort looks very promising:  (It appears that they may be using bootstrap too. Our sites will all be using bootstrap soon.)

I agree with Steve Gibson - continue using it until it's proven to have a severe problem and I guess we will see what happens after the crowd funded code audit is finished. Mr Gibson has kindly posted the 7.1a Windows and Linux installers and source code here:

Open source is going to be scrutinized even more now that this has happened and so soon after the OpenSSL heartbeat thing...


NetScanTools Pro v11.61 Released May 9, 2014

This release fixed an urgent algorithm problem in the Whois tool that was introduced in v11.60. And we added 50 new top level domain Whois servers in addition to the 180+ added in v11.60 – the IANA has been busy. This includes servers for new TLDs like ‘.wtf’ and ‘.fail’.

Another minor change is that the DNS entry boxes labeled ‘DNS Server’ now all accept up to 48 entries. Some were only accepting 16 before old entries would age out of the list. As usual, the other databases were all updated.

Users with active maintenance plans can click on Help/Check for New Version for update instructions.

Wednesday, April 16, 2014

NetScanTools Pro v11.60 Released April 10, 2014

NetScanTools Pro v11.60 (installed version) was released on April 10, 2014. It adds a new tool called Graphical Traceroute and significantly updates the SSL Certificate Scanner. It also marks the beginning of the changeover from compiling with VC2008 on Windows XP to VC2012 on Windows 8.1. We will still support XP at least through the end of 2014.

Graphical Traceroute (found under Manual Tools/Traceroute - Graphical) is similar to an old command line utility called MTR, but with some important differences: it was written from the ground up before I even knew about MTR to support both IPv4 and IPv6. It has a graph that shows hops vs. response time with minimum, maximum, average and last traces shown. There is also a list view showing more stats like dropped packets. Exporting to files is supported and you can print the graph too. To use it, simply put in a target and press Run. It will run until you stop it. You can control some packet parameters and how long to wait between doing traces. Here is what it looks like:

SSL Certificate Scanner was enhanced to add retrieval of the whole certificate chain up to and including the root certificate for each target - we also now show you whether the certificate is valid. You can now view those certificates and export the details to a text file. In this image we are showing the certificate chain for Google:

We also added over 180 new Whois domain servers for the many new top level domains the IANA has approved. Whois also now has a minor algorithm change to handle new TLDs too. This is an important addition that will eventually prove useful as people begin to register domains in those new TLDs.

These are the other changes:
-Added test for a security program known to block access to the clipboard preventing copying and pasting in NetScanTools Pro.
-Wording changes for the controls in Packet Capture.
-Updated SQLite to
-Updated database files.

How to get v11.60:
If you have an active version 11 maintenance plan you can click on Help/Check for New Version to login and download the full install.

The USB version patch will be ready on or before April 18.

Friday, April 11, 2014

Windows 8.1 Update KB2919355 woes and my solution

Keywords: KB2919355, 0x80070005, 0x80073712, FAIL

On April 8, my Windows 8.1 64 bit desktop computer (16GB ram, 240GB Sandisk SSD boot drive) did the automatic Windows Update and I had to let it go overnight because of the size of the total update. When I got up I found that KB2919355 had failed with error 0x8007005. I tried it again and again. Same failure. But I had other stuff to do so I just did some research.

Next day I went to Microsoft support directly downloaded all the .msu update files associated with the April 8 patch set. I even downloaded the KB2919442 msu because it is a prerequisite. I spent the next two days trying to install KB2919355 manually and I kept getting a new error 80073712 which means there was corruption. By following other people's posts I was directed to use these in an administrator privs command prompt:
DISM /online /cleanup-image /restorehealth
DISM /online /cleanup-image /startcomponentcleanup
sfc /scannow

When they worked (not always successfully) I would try to install KB2919355 manually again and each time it failed. A number of tries...

Aside: in my research, I found in several places this statement:
These KB's must be installed in the following order: KB2919442, KB2919355, KB2932046, KB2937592, KB2938439, and KB2934018

Here is what I did to get it to work:
1. I backed up the system with Acronis True Image 2014. This turned out to be a very important step!
2. When to Control Panel/Recovery/Open System Restore and chose a Restore Point that was BEFORE the April 8 mess.
3. Did the System Restore.
4. Manually installed starting with KB2919355 msu in the order above. (KB2919442 was already there) I had each in Downloads and I simply double clicked to run them.
5. Each one required a reboot. Fortunately SSD reboot time is super fast.
6. Everything looked good EXCEPT the System Restore went to older versions of a number of source code files I had in Documents folder. Not good. So I examined each folder and decided to restore the whole thing from the Acronis backup. I also use Pegasus Mail and there was a PMAIL.INI file that got changed, but I was able to put it back correctly without using restore. I also found that 2 favorites were removed, but I was able to restore those with Acronis.

That worked. I am relatively happy, but quite concerned as to why System Restore removed some files I had created.

It is my belief that the order of the KB's being installed on April 8 was SUPER IMPORTANT and the automatic Windows Update didn't know that so it installed the others first, then tried to install KB2919355 out of order. Mostly because of my slow internet connection. The others were downloaded first so it installed them.

I hope this helps someone.


Friday, April 4, 2014

Legacy ASP problem -again-

Disclaimer: yes, I know I should be using newer software on a newer OS, but I haven't had time to update it.

I have a legacy ASP script running on an ancient 2003SP2 server and this morning I did a Windows Update that successfully installed KB2929961 and KB2930275. Later in the day I found out an ASP form was not working. It was giving the error: "asp 0177 : 800401f3" and a line number pointing to a CreateObject("Scripting.FileSystemObject") as the source of the error. I've seen this before but it's been quite awhile and always after doing a Windows Update.

I did the regsrv32 /u scrrun.dll and regsrv32 scrrun.dll thing successfully, but it didn't work - as usual.

Next I ran Procmon.exe from SysInternals to see where the error was and I found it by running the script then stopping procmon. Way too much data, but I searched for FileSystemObject and found that there was ACCESS DENIED on HKEY_CLASSES_ROOT/Scripting.FileSystemObject. Now I remember!

I opened regedit and went to that key. It had Administrators and SYSTEM as read only etc., so I added "EVERYONE" and made it read-only. That fixed it. But then I went back and removed EVERYONE and added just the Internet Guest Account (IUSR_computername) as read only. It seems to work fine - at least until the next Windows Update.

Or until I put the Server 2012 machine in service that's been sitting here for a couple months.


Managed Switch Port Mapping Tool 2.32 Released

Two releases of the Switch Port Mapper were done quickly on the heels of v2.30 - the reason was to address issues with SQLITE_BUSY messages seen by some users (but never by us). It occurs during a SELECT of one table and using some of the data from that SELECT to do an INSERT into a different table - same database file. By doing a BEGIN IMMEDIATE wrapping the statements, I was able to solve the problem. It didn't used to happen so it must be a change in SQLITE operation.

I also added in a message to tell the user when Ping Sweep is activate but the IP range for Ping Sweep is empty. That's important because if you want to use Ping Sweep to prepopulate arp tables or to get NetBIOS info from a set of target, you had better define the targets. Why is this needed? simple: most people are using the Switch Port Mapper to map Layer 2 switches that don't keep track of IPs, layer 2's keep track of MAC addresses. So you have to get the IPs by retrieving ARP tables and looking for the MAC addresses so you can work backwards and get the IP addresses.

Get Managed Switch Port Mapping Tool v2.32 here:

Tuesday, March 4, 2014

Managed Switch Port Mapping Tool v2.30 released Feb 26, 2014

Release v2.30 makes major changes to the way Ping Sweep operates. It now allows you to specify an IP range or ranges to ping on a per switch basis. This means you can set the range of IPs to match those handled by the switch. You can also now specify the timeout and retries for the ping packets. Responding IPs are queried for their MAC address and the results are placed in our Combined ARP table for use during the mapping process.

There is also a terminology change: previous versions all referred to Switch Configurations which are the combination of a switch and the two optional devices to query for ARP information. Now that term has been changed to Switch Group in order to reduce confusion with Cisco switch configs.

There are several other changes and the SQLite DLL was updated to the latest version

Wednesday, January 22, 2014

Managed Switch Port Mapping Tool v2.23 (and v2.22) released Jan 20, 2014

These two releases are pretty important and the difference between v2.22 and v2.23 is literally one line of code thanks to an astute observation by a customer. That one line of code prevents a warning message that might appear if you were mapping a Cisco switch (like the customer's Catalyst 4506) where default VLAN 1 is not used but other VLANs are used.

The focus of v2.22 was in two areas:
1. managing the size of the history database. This database is filled with the results of every completed switch mapping. Over time it can get quite large - especially if you are using Switch List mode. So new tools were added in left panel/Review History to allow you to clean the database by date and compact it manually. The size in bytes (and MB or GB) of the history database is also now shown:

If you press Delete Results by Date, you can choose to remove data from the history database older than a certain time.

2. The second area was in the command line operation: we added options to do the same things as you see above from the command line.

You can download v2.23 from

Here are the complete list of changes in both versions.

2.23 January 20, 2014
-Fixed minor problem where a Warning message ("The switch did not respond with mapping from bridge ports to ifIndex...") might appear on Cisco switches. The switch was mapping correctly and the warning did not need to be shown - it only occurred if VLAN 1 was not used at all.

2.22 January 17, 2014
-Switch List Editor (important fix): corrected problem with the 'move up' control. Previously, it was copying the data from the device 2 field to both the device 2 and device 1 fields as it moved the selection up in the list. This made a switch list mapping not work correctly because the device 1 field may not be in the switch configuration list.
-Command Line: Added new option to compact all databases.
-Command Line: Added new option to delete data older than a user specified number of days from the history database.
-Review and Search Historical Switch Mapping Results: Added box showing current History Database size.
-Review and Search Historical Switch Mapping Results: Added Delete Results by Date button which gives a method of deleting old results from the History Database.
-Review and Search Historical Switch Mapping Results: Added Compact Database button.
-Review and Search Historical Switch Mapping Results: Fixed problem deleting selected results where an SQLite error would occur deleting from the dot1dBasePortIfIndex table.
-Database Maintenance: Compacting function has been extended to include history database.
-Database Maintenance: Warnings have been added if you try to erase the settings, SNMPdevices and switchConfig tables.
-Support mode event recording expanded.
-Corrected SQLite problem recording the switch list name to the support mode database after completing a switch list mapping.
-Web browser message about duplicate hostnames now suppressed using no error messages command line option.
-Improved speed of writing to history database by removing an unused index.
-SNMP Device Settings: Edit box prompts have been added.
-Updated MAC address/Manufacturer database.

Wednesday, January 15, 2014

How to send SNMP Traps from a Netgear GS724T switch

Getting your Netgear GS724T switch to send SNMP Traps requires several steps beyond the obvious enabling of traps and defining where the traps are being sent to. Here are the steps. This procedure works with Software Version or .10.

Use your web browser to connect to the switch. Enter the password to login. The default password is password

1. Make sure you turn off the Port Authentication settings you may have enabled.

1a. Security\Port Authentication\Advanced\802.1X Configuration: "Disable" all options, then click apply (lower right corner of window).

1b. Security\Port Authentication\Advanced\Port Authentication: Select all ports and set Port Control = "Auto", then click apply.

2. Security\Traffic Control\Port Security\Port Security Configuration: Click Enable, then click apply.

3. Security\Traffic Control\Port Security\Interface Configuration

a. Select all ports
b. Port Security = "Enabled"
c. Max Allowed Dynamically Learned MAC = "600"
d. Max Allowed Statically Locked MAC = "20"
e. Enable Violation Traps = "Yes"
f. Click Apply

4. Enable Trap Flags. System\SNMP\ SNMPv1/v2\Trap Flags: select the trap types you want to be sent, then click apply.

5. Select the trap destination IP addresses. System\SNMP\ SNMPv1/v2\Trap Configuration: Enter the receiver's IP address, version of SNMP, community string and enable, then click Add, then Apply in the lower right corner.

6. Your switch should now be sending traps. You do not have to reboot it.

You can test whether the traps are being sent or not by using Wireshark on the receiving machine and look for SNMP trap packets (use the filters). Disconnect and reconnect an active device on the switch to force it to send link up/down and mac address change traps. You can also review the trap log by going to Monitoring\Logs\Trap Logs:

This was not an intuitive procedure, I will not take credit for it - the procedure came from their Tech Support - but it does work - have fun with it!

Monday, January 6, 2014

Duplicate IP Address Scanning

Duplicate IP addresses sometimes occur on an IPv4 network subnet if a device is added that already has a static IP address assigned to it. Operating systems like Windows can detect this, but this detection normally happens when the OS is starting up. If a duplicate occurs, ARP reply packets return to a sender (who send ARP discovery) from two sources, both with the same IP but with different MAC addresses. We have a tool in NetScanTools Pro that can scan your whole subnet and look for duplicate IP responses. It will show the MAC address, Interface Manufacturer and Hostname of the duplicate devices.

Here is an example of what happens when a duplicate is found:

Demonstration Video:

This tool is quick and easy to use, you simply enter the IP address range, select the WinPcap compatible interface that is found in the IP address range and start it. If you have a large range like a 10.x.x.x, it may take a long time to complete and I would suggest breaking the range up into ranges where you know devices exist.

To learn more about the Duplicate IP Address Scanner tool and to download a demo with this tool fully active, please visit this page