Scan Strategies & Technology

LAN Lens implements a highly optimized, multi-tier discovery pipeline designed to identify and analyze all active nodes on your subnet with sub-second response times, while maintaining zero external dependencies.

Pipeline Execution Order

LAN Lens scans in four concurrent phases: **ARP Cache Auditing** -> **ICMP Sweep** -> **Service Broadcast Interrogation (mDNS/UPnP)** -> **Targeted Port Verification**.

1. ARP Sweep (Address Resolution Protocol)

Because the local router manages client communications by converting IP addresses to hardware MAC addresses, the operating system maintains a memory database known as the **ARP Cache**.

LAN Lens starts its sweep by executing native kernel queries to retrieve and inspect this cache. It then rapidly floods the active subnet range (typically /24 or 254 nodes) with extremely lightweight UDP socket packets on non-standard ports. This forces silent target devices to trigger standard kernel replies and register their active MAC-to-IP pairings in milliseconds.

2. ICMP Pings

For network layers operating behind strict endpoint firewalls that block standard socket attempts, LAN Lens falls back to sending structured **ICMP Echo Requests** (Pings). Clients that respond to standard echo packets are immediately cataloged, and their round-trip latency (RTT) is recorded to measure node performance.

3. Service Broadcast Discovery (mDNS & UPnP)

Once a baseline IP map is established, LAN Lens interrogates local discovery protocols to recover accurate hostnames and hardware capabilities:

mDNS (Multicast DNS / Bonjour): Queries are multicast to the standard IP 224.0.0.251 on UDP Port 5353. Responsive Apple, smart speakers, and printer systems return local pointer details (`_http._tcp.local`, `_printer._tcp.local`) containing their model specifications.
UPnP / SSDP (Simple Service Discovery Protocol): Broadcasts standard discovery queries (`M-SEARCH`) to the multicast address 239.255.255.250 on UDP Port 1900. IoT devices, smart TVs, and routers reply with XML metadata containing serial numbers, model names, and manufacturer URLs.

4. Targeted Port Scan & Banner Grabbing

To identify the profile of unknown devices (like surveillance cameras or NAS boxes), LAN Lens executes concurrent, low-cost TCP connection checks against highly standard administrative and streaming interfaces:

HTTP Management  -> Ports 80, 443, 8080
RTSP Video Streams -> Port 554
Secure Shell (SSH) -> Port 22
NetBIOS Windows -> Port 139
Bonjour (ONVIF)   -> Port 8899

If a port accepts the connection, the discovery engine reads the first few bytes returned (the "Banner") to identify services safely, without performing intrusive penetration probes.