Network scanning is a procedure for identifying active devices on a network by employing a feature or features in the network protocol to signal devices and await a response. Most network scanning today is used in monitoring and management, but scanning can also be used to identify network elements or users for attacks. The specific protocol features used in scanning depends on the network, but for IP networks scanning normally sends a simple message (a ping for example) to each possible IP address in a specified range, and then uses another protocol to obtain data on the devices if a response to the ping is received.
When used by monitoring and management systems, scanning is used to identify current network users, determine the state of systems and devices, and take an inventory of network elements. Often an inventory of devices is compared against a list of expected devices as a measure of health. All these are legitimate management functions and are used routinely by network administrators.
Scanning used by attackers relies on the same tools and protocols as monitoring/management scanning. An attacker would normally first obtain the IP address range assigned to a company using the domain name system (DNS) or the whois protocol. Addresses within that address range would then be scanned looking for servers, their operating systems, the system architecture, and the services running on each. The attacker can then attempt to breach the target systems and applications.