Wireshark-users: Re: [Wireshark-users] Scanning subnetwork considered bad or not?

From: Stephen Fisher <steve@xxxxxxxxxxxxxxxxxx>
Date: Thu, 4 Aug 2011 11:37:51 -0600

On Mon, Jul 25, 2011 at 02:25:29PM +0200, RUOFF, LARS (LARS)** CTR ** wrote:

> After setting up a trap, i finally found the guilty to be the Canon 
> Network Scanner utility. (The word "Scanner" here initially stands for 
> machines scanning sheets of paper, not networks! ;) )

It's trying to make a network connection of some sort to every IP 
address on the subnet.  If there isn't already an ARP entry for that IP 
address in the local machine's ARP cache, then it has to generate an ARP 
request to find it if it's there.

> Ok, so normal behaviour. But isn't this behaviour seriously violating 
> LAN netiquette??

Yes.

> Do a lot of services use this?

I don't think so, but many use almost-just-as-annoying broadcasts which 
reach every device anyway.

> I guess that this would be a NO GO in an enterprise environment?

I would say yes, but after years of experience working in such 
environments, it turns out that most don't care since it's more 
important that things "just work" (no matter how poorly they are 
implemented) than "do the right thing" :(.

It would be better to use multicasts and/or a standardized method of 
service discovery such as Simple Service Discovery Protocol (SSDP).