NScan itself is a port scanner, which uses connect() method to find the
list of the host's open ports. The difference from the most
portscanners is it's flexibility and speed. The maximum speed seen by
beta-testers was over 500 ports per second, and it wasn't a maximum.
Maximum speed depends on network bandwidth and PC speed. On this screen
shot you can see the real speed of 19.75 ports per second while
scanning 145 ports on remote host on dial-up.
Engine supports numerous settings, operation modes and customizations,
You have different ways to specify hosts - single, range or different
kinds of lists, even some raw unformatted data. It may be IP,
"crippled" IP or hostname.
Ports may me specified in different ways too - single ports, ranges,
lists, known to system or to scanner their combinations.
You can tune your output - will you write logs or not, which detail
level should be for logs or output screen. You can copy output to
clipboard - as single address, as socket, as list, etc. You can tune
your scan speed - from the very low to uncontrolled. You can set
traffic priority (if system allows you to do it).
You can even run it remotely from command line and monitor it's
activity with an additional console utility, that monitors "virtual
It can minimize to tray, load with the system startup, search for his
own upgrades, change it's interface language on the fly, it can easily
deal with it's separate kit utilities - dig, whois and traceroute.
What else will you require from portscanner?
This section contains general readme file (it's not so often read as it
It's a kind of strict user manual - some performance issues, hints,
are available either as FAQ, or at forum.
PLEASE READ THIS FILE CAREFULLY, IT MAY CONTAIN THE NECESSARY
Version 0.9.1 readme
Author: Averk/Necrosoft (firstname.lastname@example.org)
What's new in 0.9.1:
- Added Save/Load buttons to the options dialog, that will assist in
creating performance profiles and for modifications of the CD version
Same is for other utilities.
- Whois: fixed link bug.
- Introduced a business card CD version, that runs directly from CD and
doesn't touch system registry. CD is recordable and is open for write.
See special notes for CD version.
What's new in 0.9:
- Completely removed adware and made it simply shareware.
- Added all utilities in one pack.
- Fixed bug with window sizing.
- Fixed nasty bug with tray menu that prevented it from proper hiding.
- Fixed bug with utilities call under NT (unclean parameters).
- Fixed some things in credits scroller and removed splash.
- DIG: fixed control bug that caused it to close prematurely.
- Some minor changes.
What's new in 0.8:
- First of all, this file - now it has something more than just a site
- Enforced timeouts. Yeah, it won't freeze so long on a dead host.
- Engine is completely rewritten to make it more flexible. Though
nothing revolutionary is written, there's much more space for
enhancements (fairly, it's mostly for easier modifications). However, I
hope to make some good surprises with new functionality soon :)
- Numerous bugfixes, the most awful of them - incorrect command-line
- New command-line options for remote telnet control.
- Virtual console. Basically, it's a kind of log that may be viewed at
the moment of change by tail utility (tail.exe is included).
- Logs and clipboard exchange formats may be freely changed now.
- I've removed third-party ad components at last. No spyware (but was
Ad component is now my own and it doesn't collect anything. Info may be
collected via cookies as with any other banners on my site, but there's
nothing special from me.
- News engine is rebuilt, now it may notify you about new releases (at
- Language packs. Yeah, you can customize any text strings in any
language and way you want.
- Added two more source file parsers. Current set: host list, socket
list, some IP's.
- And, finally, it's modular: whois, traceroute and dig are separate
programs, which may be run either from NScan or alone.
Introduction to this reference (an official word):
NScan is a kind of a kit for testing network security and reliability,
which can solve numerous problems on your network. Basically, it's an
extremely fast and flexible portscanner for Windows, which is specially
designed for scanning large networks and gathering related network/host
information. It's designed as an aid for network administrators and
should not be used in order to abuse someone. The responsibility for
the correct use of this kit remains with you. See license.txt.
1.1. Host selector.
1.2. Port range selector.
1.3. Output and log detail level selectors.
1.4. Output window.
1.5. Status bar.
1.6. Other controls.
2.3. Output formats.
2.4. Packet customization.
2.6. General system options.
3. Command line.
4. Socket manipulations.
5. Virtual console.
1.1. Host selector. Has five modes:
- Host range: scans from initial to final host or vice versa, in
ascending order. Host names may be either as IP addresses of valid
"Crippled" IP's (though they are also valid) are also acceptable (e.g
2130706434 as 127.0.0.2, or 212.3070643 as 22.214.171.124; 127.0.0.300
and the like are, surely, unacceptable). If one of the hosts it
invalid, scans only one valid host.
- Single host: scans only initial host.
- Host list: gets the list from file. Same types of addresses as
mentioned are valid. Takes one address per line, leading whitespaces do
Comments at line are accepted as soon as they separated from hostname
with at least one whitespace character or semicolon (':').
- Socket list: As in the previous case, but requires a port number
after whitespace(s) or/and semicolon(s), e.g. " 127.0.0.1 : 80".
Discards port range settings.
- Some IP's: Tries to find a valid IP address at line. It means that
unlike in previous cases, 127.0.1 (which is 127.0.0.1) isn't valid. May
help greatly for scanning DNS zones, including those retrieved by AXFR
1.2. Port range selector. Has seven modes:
- Port ranges list: lists comma-separated port ranges and single ports.
- Windows default services: uses 'services' file from your system. BTW,
funny, but it doesn't contain http.
- Known services: uses NScan's 'services' file (more than 3200 entries)
- it's the set of once most recent known ports.
- User-defined services: uses "userdef.txt" in NScan's directory as
- Known+user-defined: obvious
- All defined services: adds windows services to the previous selection
- All defined + port list: obvious too :)
1.3 Output and log detail level selectors: six for output + "no logs"
- Normal: only open ports
- Network unreachable:
Catches the following errors:
- Timeout and network unreachable: obvious, yeah?
- Explicit: tracks all except WSAECONNREFUSED (simply closed port)
- Absolute: tracks _ALL_
1.4. Output window:
I can only add that right click opens a menu and report columns can be
rearranged and sorted.
1.5. Status bar: briefly.
First line: status; last host; last port; total scanned amount; scan
speed; open ports amount; number of sockets in use, maximum sockets to
Second line: news line (shows current news from Necrosoft, linked to
site); '?' - force news retrieval; network load (heuristic); time left;
1.6. Other controls.
Other control use may be deducted from their names and tooltips that
are available for all of them. I only want to mention "NECROSOFT"
button, which appears on the place of the "Register" button after
registration: double-click shows splash screen.
Buttons Save and Load allow to save and load configuration profiles. It
may be useful for different speed profiles, CD version tuning, etc.
- Minimize to system tray: no comments.
- Custom colors/pictures, positioning: for better appearance of result
Contains paths to additional modules and specifies if to perform an
action on the initial host upon module launch, e.g. trace the route to
the first host when you press "Traceroute" button in NScan. If paths
are incorrect, corresponding buttons are grayed.
2.3. Output formats: Has brief help and more detailed help under "more"
- Log entry: specifies how should log entry look like. Don't forget to
put %n at the end of line: it's a newline character.
- Clipboard: specifies format for "Custom copy" and "Copy selected" at
the output window. No newline is needed.
- Console: format for "virtual console" (see below) - same as for log.
2.4. Packet customization:
- Send OOB data: sends OOB packet to open port. Basically is outdated,
may only help to find unpatched 95's on the network (old nuke exploit).
- Type of service: two selectors. RTFM. Don't touch unless you know
TCP/IP packet structure or at least, TOS considerations. Nor guarantied
to work everywhere - just sets options on a socket, but winsock may
- Socket limit: number of sockets that may be opened simultaneously.
- Update: time interval when NScan tries to find more spare sockets if
"Dynamic allocation" is switched on.
- Cleanup timeout: time, after which socket assumes to be timed out and
forcibly removed from queue.
2.5. Speed: two deeply connected values.
- Synchronize by: time between the socket queue additions. 0 means full
local bandwidth (depends also on PC performance).
- Speed limit: heuristically accounted speed
2.6. General system options.
- Run as system service: runs at startup and puts itself to tray, right
click opens a tray menu, click opens scanner window.
- Don't close: forces close (X) button to act as "minimize" - useful to
keep scanner alive when it's run as 'service'
- Disable news retrieval: doesn't connect you to server for news and
- Disable upgrade notifications: upon news retrieval, ignores upgrade
- Localization: hope it's obvious. "Get more" brings you to the support
3. Command line
Command line accepts following options:
short long <parameters> description
-i -ini <start address> start hostname
-f -fin <end address> end hostname
-p -ports <ports> port list
-F -list <list file> list file name
-l -log <log file> log file name
-N -forget don't write updated settings to registry
-t -tray run and minimize to tray / do nothing
-S -scan start with defaults - just scan
-k -keepalive don't close after job is done
-n -nohide keep restored
-a -atype <type> address type (0-4) respectively in
-P -porttype <port list type> same for port type
-c -cleanup <cleanup timeout> cleanup timeout (options)
-d -outdetail <outdet> output details (see drop-down mode
-D -logdetail <log detail level> same for log
-T -condetail <detail level> same numbers as for log
-R -conformat <format> format for console output (options)
-C -console <file> console file name (default is
-s -speed <speed limit> speed limit (options)
Other engine options are taken from previous session defaults.
Single option parameter must be taken into double quotes '"' if there
is a possibility that it can be misinterpreted (may be in file names)
4. Socket manipulations:
By default, scanner uses 75 sockets with 3-second update timeout,
dynamic allocation and max socket amount of 500. These settings are for
Win 95/98. Under NT you may user much greater numbers. The reason is
that sockets are limited resource, so under Win 95/98 you may
experience problems with other network software if all sockets are
used. In order to resolve this problem, scanner works at the following
principals: if the limit is reached, scanner decreases maximum and
after some time (3 seconds by default), increases it (if dynamic
allocation is on), assuming that resources may be free. If it doesn't
reach a limit, it slowly increases the top to the maximum (500 by
default) and stays there. Please note that if you run two concurrent
scanners with dynamic allocation, the limit of one of them may fall to
1, resulting in low-speed scan (as some lame scanners). If dynamic
allocation is switched off, it doesn't change the limit, so be careful
with the limits - they may block other network activity - i.e. while
old connections remain active you won't be able to open new connection
unless you're lucky enough. Once again - it's only under 95/98. So, at
last, scanner uses most of the available resources trying not to
interfere with another applications. Please note that NT has very high
limit that may not be reached, but keep a reasonable maximum, because
3000 sockets will exhaust CPU resource and may lock your PC down.
However, high limit will resolve freeze problem on dead networks,
especially with reasonable cleanup timeout.
5. Virtual console.
In command-line mode scanner duplicates it's output in "virtual
console" file. File is named as "console.log" by default. You may view
it at console using the enclosed tail utility (tail.exe). Tail shows
the immediate recent changes to file and may be used with NScan to work
as console scanner version. Usage: tail <filename>. No,
it's not ported from UNIX, it just looks like it :)