Usage: netrecon [Mode] [Options] {target specification} MODE SELECTION: -C|--scan-connect: Scans ports until one full connect is found then quietly scans remaining ports. -P|--scan-passive: Passively sniffs and interfaces and collates discovered ports based on hit counts. -T|--tcpdump: Invokes a mini tcpdump utility. Default mode is 'scan passive' GLOBAL OPTIONS (not required); -u|--usage Print usage message and exit -v|--verbose Be verbose -x|--xtra Go past default port range upper limit TARGET SPECIFICATION: Scan Connect mode: Default can pass xxx.xxx.xxx.n-N or single hostname/IP In ipv6 mode only one host can be specified A target specification is required Scan Passive mode: A pcap filter can be used (e.g. net xxx.xxx.0.0) or none (all hosts/ports detected are collated) Mini Tcpdump mode: Standard pcap filters SCAN CONNECT OPTS: -6|--ipv6 host Specify ipv6 host to scan -c|--connect-all Connect for each port(not default, slower) -g|--datagram Set the socket to datagram instead of stream -p|--port n[-N] Scan port number n or a range of n-N Defaults are: 1-1024 -t|--timeout n[-N] Set the default scan timeout to SECONDS.USECONDS Defaults are: 2.0 Ex: netrecon --scan-connect -x -D -c --timeout 3.05 192.168.1.2-254 POLL AND INTERFACE OPTIONS (scan-passive/tcpdump modes only): -i|--interface Specify the interface to watch -n|--npolls Exit after analyzing int polls Note: In scan-passive this defaults to 2048. In mini tcpdump the default is never. SCAN PASSIVE OPTS: -h|--hits Set destination porthit threshold to int. Default is 16. Lower numbers for wireless and home and higher ones for workplace/campus networks. Ex: netrecon -P -h 16 net 192.168.1.0 and not port 22 MINI TCPDUMP: -a|--arp Read arp traffic only -d|--decode Decode packets Ex: netrecon -T -i en0 -n 2048