Yrscanetree

is a bulk stochastic ping-scanner for IPv4 networks with TUI.

It stores discovered hosts as an octet-based tree and shows octets of IPs only for selected sup-octets, along with some host statistics.

It is configured via JSON, keeps state in another JSON, and can write IPs to a text file.

Relies on pro-bing and tcell.

What use case is not covered by more sophisticated programs? Maybe slow, patient, "brushing" reconnaissance of paranoid, "touchy" networks with anti-scan triggers... wait, oh sh

It does NOT show network topology. The tree is defined by octets of IP addresses, not by routes of packets between corresponding devices. Use traceroute or an actual mapper to obtain the latter.

Cross-platform, works in console so you can launch it within SSH session.

Again, keep in mind that in many networks, aggressive scanning, — or any scanning, for that matter, — is considered "bad/suspicious behaviour" by default. This program may circumvent some, but not all, scanning countermeasures. On the other hand, such countermeasures can be a minor issue or not-existent at all.

The Look

Here we scan /16 network to which 185.15.59.224 (wikipedia.org) belongs, i.e. 185.15.*.*

Colors of octet 4 values correspond to host status: green ~ available, orange ~ missed, red ~ lost. Since such status is undefined for octets from 1 to 3 (representing entire subnets rather than single hosts), their values are displayed in blue.

Deployment

Install Go and place the project files into, say, ~/yrscanetree. Then

$ cd yrscanetree
$ go get -u github.com/prometheus-community/pro-bing
$ go get -u github.com/gdamore/tcell/v3
$ go build
$ go run .

Configuration

See config.json as an example, and scan.go (most of parameters are used there).

In particular,

• NProbes is the number of simultaneous ping probes at each pass

• Timeout is the... timeout, in seconds, of each ping

• Interval is in seconds, between passes

• NetStr and MaskStr specify the range of IPv4 addresses where the scanner will search for hosts. All masked bits are taken from net, the rest is random, except for 4th octet never being 0 (broadcast) or 255 (network #)

• ForbidNetsStr is a map of "subnet" : "mask" pairs where the search is forbidden: when subnet and random IP are equal under AND with mask, such IP is not probed

• ProbCheck is roughly the part of all probes at each pass that are sent to already discovered hosts (chosen randomly as well), checking if they are still there; the rest is sent to random IPs within masked net. Smaller value means network is "explored" faster, larger value means availability status of hosts is less obsolete

• LossMisses is the number of pings without a single reply (misses) starting from which the host is considered lost, not merely missed

• FrameRate should be self-explanatory. Values above 20 or so are indistinguishable, because there is not much "animation" altogether

• IdleRate makes main thread pause for reciprocal part of a second, to avoid CPU overusage

• PrintSynopsis, if true, prints the program synopsis and some stuff at each start

Among these, NProbes and Interval are probably the ones most related to "paranoidal" (actually basic security) restrictions of certain networks, where too numerous and/or too frequent "bursts" of pings from given host are considered suspicious and trigger an appropriate reaction 🚨. In such cases, set these to something like NProbes : 20, Interval : 600, run for a while, and if 😬 guys 🤬 with 🏏 pain implements 🔪 do not come for you, increase the former and decrease the latter until they do 🩸🪦...

There is also ForbidNetsStr, but you need to know what subnets/hosts have ping triggers beforehand.

In case config.json is somehow missed, the program will use the default configuration. Save it via F2 and edit according to your needs.

Etymology

Yr is a Norwegian word that means drizzling (raining lightly), which is reminiscent of the way this scanner works; it is then portmanteaued with scan, net, and tree.

More, more intriguing stuff

It has been found by translating "drizzle" from English to different languages... another form of scanning.

We considered replacing "tree" with its Norwegian translation "tre" as well, to get kind of symmetry and increase... fluidity? but decided to keep the English word, because "ee" associates better with long waiting one has to endure in order for a scan to cover entire target network with sufficient probability.

Deeper yet

Previous candidates for a title were "BulkRandPingScan" and "Chuviscanet", the latter based on chuvisca, a Brazilian/Galician/Portuguese word for drizzling.

Having bound yourself to this dark knowledge, beware of It...

Kind of Kind of

• Angry IP Scanner

• github.com/fadhilyori/subping

• github.com/kotakanbe/go-pingscanner

• Network Diagram

• NMap indeed, more so with Zenmap

and many others.

Icon

	Made at perchance.org/ai-icon-generator in "Watercolor" style via the prompt "Rain falls from above and glitters on a branching almost leafless single tree with spider web."

(No, source code has not undergone editing by an LLM... yet?)

License

Yrscanetree is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

Yrscanetree is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with Yrscanetree. If not, see https://www.gnu.org/licenses/.