Using Nmap For Ping Scan + Other Tools to Use

Ping scans are typically used to find which IP addresses are in use on a network. There are, as we’re about to see, many reasons why one would need to do that. Traditionally, this task would be done by issuing successive ping commands and making note of the results. It is obvious that doing it that way is only practical with the smallest ranges of IP addresses.

When you have more than a few addresses to scan, you better resort to using a specialized scan tool. Nmap is one such tool and today, we’re having a look at using Nmap for ping scan.

We’ll start off our discussion by explaining what a ping scan is. And since it relies heavily on ping (who would have thought?) we’ll also give you some background information on the ping utility, what it is and how it works. We’ll then introduce Nmap, a free and open-source tools with several uses and tell you how to use it to perform a ping scan. Finally, we’ll have a look at a few other ping scan tools that you might want to try.

What Is A Ping Scan?

In a nutshell, a ping scan is the act of pinging each IP address in a given range or subnet to find which ones are responding and which ones aren’t. It sounds pretty boring and, to be truthful, it actually is. But there are several reasons why one would want to do that. One of them has to do with detecting rogue devices. They could be devices connected by malicious users to spy on your organization.

They could also be the act of users with perfectly good intentions. I once had this user who prevented many of his colleagues from accessing the network when he connected his home Internet router to it. He just needed a couple of extra ports to connect an additional test computer and thought he could use the switch built into his router. Unbeknownst to him, the router’s built-in DHCP server started assigning IP addresses from the wrong subnet to computers that were trying to connect to the network.

Other than security reasons, scanning IP addresses is also the first step of most manual IP address management processes. Many IP address management (IPAM) tools will include some form of IP address scanning but if you choose to take care of that manually, IP address scanning tools can come in handy. And for those who don’t have any IP address management process in place, scanning IP addresses is even more important. It will often be the only way to ensure that there are no IP address conflicts and it can be seen as a rather crude way of pseudo-managing IP addresses.

About Ping

No matter why you want to scan IP addresses, most tools are based on ping so let’s have a look at this vintage utility. Ping was created out of necessity back in 1983. Its developer needed a tool to help in debugging abnormal network behaviour he was observing. Today, ping is present on almost every operating system although its implementation varies somewhat between platforms. Some versions are offering multiple command-line options which can include parameters such as the size of each request’s payload, the total test count, the network hops limit, or the interval between requests. Some systems also have a companion Ping6 utility that serves the exact same purpose as ping but for IPv6 addresses.

How Ping Works

Ping is a simple utility which sends ICMP echo request packets to the specified target(s) and waits for it(them) to send back an ICMP echo reply packet for each received packet. This is repeated a certain number of times—five by default under windows and until it is manually stopped by default under most other implementations—and it then compiles response statistics. It calculates the average delay between the requests and their respective replies and displays it in its results. On most *nix variants as well as on the Mac, it will also display the value of the replies’ TTL field, giving an indication of the number of hops between source and destination.

Here’s a typical use of the ping command on Linux (the “-c 5” option tells the command to run five times and then report on the results, mimicking Windows’s operation of the command):

$ ping -c 5

PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=56 time=11.632 ms
64 bytes from icmp_seq=1 ttl=56 time=11.726 ms
64 bytes from icmp_seq=2 ttl=56 time=10.683 ms
64 bytes from icmp_seq=3 ttl=56 time=9.674 ms
64 bytes from icmp_seq=4 ttl=56 time=11.127 ms

--- ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 9.674/10.968/11.726/0.748 ms

For ping to work, the pinged host must abide by RFC 1122 which specifies that any host must process ICMP echo requests and issue echo replies in return. Most hosts do reply but some disable that functionality for security reasons. Firewalls often block ICMP traffic too. Pinging a host which does not respond to ICMP echo requests will provide no feedback, exactly like pinging a non-existent IP address. To circumvent this, many IP address scanning tools— is one of them—can use different types of packets to check if an IP address is responding.

Introducing Nmap

Nmap—which stands for Network Mapper—is a free and open-source network scanner created by Gordon Lyon (A.K.A. Fyodor Vaskovich). It is primarily used to discover hosts and services on a computer network by sending various packets and analyzing responses. Nmap started as a Linux utility and was later ported to many other systems including Windows, Mac OS, and BSD.

Nmap provides a number of features for probing computer networks. These include host discovery as well as service and operating system detection. The tool’s features can easily be extended by scripts that provide more advanced service detection, vulnerability detection, and more. It easily adapts to various network conditions including latency and congestion during a scan.

Nmap was originally distributed under the GNU Public License (GPL). However, in later releases, the tool’s authors added clarifications and specific interpretations to the license where they felt the GPL was unclear or lacking.

Using Nmap For Ping Scans

Because host discovery needs are so diverse, Nmap offers a wide variety of options for customizing the techniques used for ping scans. Despite its name, this technology goes well beyond the simple ICMP echo requests mentioned earlier. Using various options, you can skip the ping step entirely with a list scan (-sL) or by disabling ping (-Pn), or engage the network with arbitrary combinations of multi-port TCP SYN/ACK, UDP, and ICMP probes.

No matter what method you use, the objective is always to demonstrate which IP addresses are actually active (being used by a host or network device). On most networks, only a small percentage of IP addresses are active at any given time. This is particularly common with private address space such as This is used by many organizations of all sizes, many with much fewer devices than the 16.8 million IP addresses which are available in that address space. Some will have fewer than a thousand machines.

So, without going in too many details, here are a few ways that a typical ping scan can be performed using :

nmap, nmap or nmap

Any of these three commands will do the same thing, assuming that resolves to They scan that one IP address and then exit.

nmap, nmap, nmap 64.13.134.-, nmap

These four commands all instruct Nmap to scan the 256 IP addresses from through In other words, they ask to scan the class C sized address space surrounding

nmap --exclude,

This command instructs Nmap to scan the class C around, but to skip and if they are found within that address range.

nmap --exclude,

This one instructs Nmap to scan the whole private 10 range but to skip any IP address starting with 10.6 as well as the host.

We could go on forever with similar examples of the tool’s versatility. Nmap’s website ( provides ample documentation on how to do just about anything with this powerful tool.

Some Other Tools You Can Use

As powerful as can be, it’s not the easiest tool to use and it’s also not the prettiest. It will get the job of scanning a subnet or a range of IP addresses done but, if this is something you intend to do on a regular basis—and you probably should—perhaps you’d like to have a look at some alternative tools we’ve reviewed for you.

1. SolarWinds Ping Sweep (Part Of The Engineer’s Toolset)

First on our list is a tool from SolarWinds, maker some of the best network administration tools. The company is also known for its many free tools. When it comes to doing a ping scan, the SolarWinds Ping Sweep tool is simply one of the best products you can find. It is part of the SolarWinds Engineer’s Toolset, a bundle of more than 60 useful, Windows-based network management utilities, including Ping Sweep.

Using the SolarWinds Ping Sweep is super-easy. The tool has a graphical user interface where you enter the IP address range you want to scan. The range can be as big or as small as you want. You can even scan a discontinuous list of IP addresses from a text file. For instance, you could extract a list of assigned IP addresses from your DHCP server and use it as the tool’s input to see which ones are actually used.

SolarWinds Ping Sweep Screenshot

The SolarWinds Ping Sweep tool will ping all the specified IP addresses and list those that responded. This could hardly be simpler. The results can be exported to several file types such as CSV, XML, or even a web page. That way, you can analyze the results using your own favourite tool. As for the results, they don’t only include the IP addresses of the responding hosts. The tool also shows you each address’ response time and it does a reverse DNS lookup to find and display their hostnames.

Prices for the SolarWinds Engineer’s Toolset–including Ping Sweep–start at $1 495. This is a per named user price and you’ll need one license for each named user. Considering all the other tools that are part for bundle this is well worth the investment – and don’t forget there’s a 30-day trial which you could take advantage of.

Other Tools In The SolarWinds Engineer’s Toolset

The SolarWinds Engineer’s Toolset includes many more dedicated troubleshooting tools. Tools like DNS Analyzer and TraceRoute can be used to perform network diagnostics and help resolve complex network issues quickly. For security-oriented administrators, some of the tools can be used to simulate attacks and help identify vulnerabilities.

SolarWinds Enginerr's Toolset - Web Console

The SolarWinds Engineer’s Toolset also features some excellent monitoring and alerting capabilities. It includes several tools to monitor your devices and raise alerts for availability or health issues. And finally, you can use some of the included tools for configuration management and log consolidation.

Here’s a list of some of the other tools you’ll find in the SolarWinds Engineer’s Toolset:

  • Port Scanner
  • Switch Port Mapper
  • SNMP sweep
  • IP Network Browser
  • MAC Address Discovery
  • Response Time Monitor
  • CPU Monitor
  • Memory Monitor
  • Interface Monitor
  • TraceRoute
  • WAN Killer Network Traffic Generator
  • Router Password Decryption
  • SNMP Brute Force Attack
  • SNMP Dictionary Attack
  • Config Compare, Downloader, Uploader, and Editor
  • SNMP trap editor and SNMP trap receiver
  • Subnet Calculator
  • DHCP Scope Monitor
  • DNS Structure Analyzer
  • DNS Audit
  • IP Address Management

Official Download link:

2. Angry IP Scanner

Despite being deceptively simple the Angry IP Scanner makes extensive use of multithreading, making it one of the fastest tools of its kind. It is a free multi-platform tool which is available for Windows, OS X, or Linux. Since the tool is written in Java, you’ll need to have the Java runtime module installed to use it. This is pretty much the tool’s only drawback. This tool will not only ping IP addresses, but it will also optionally run a port scan on discovered hosts. It can also resolve IP addresses to hostnames and MAC addresses to vendor names. Furthermore, this tool will provide NetBIOS information about each responding host.

Angry IP Scanner Windows - IP Range

The Angry IP Scanner can not only scan complete networks and subnets but also an IP addresses range or a list of IP addresses from a text file. Although this is a GUI-based tool, it also comes with a command-line version that you can use if, for instance, you want to include the tool’s functionality in your scripts. As for the scan results, they are by default displayed on the screen in table format but they can easily be exported to several file formats such as CSV or XML.

3. Advanced IP Scanner

Advanced IP Scanner may seem like just another free IP address scanning tool but it has an interesting twist. The tool, which runs on Windows, is totally geared towards that operating system and it features several Windows-related advanced functionalities. More about that in a moment. The tool’s publisher claims this free software is used by over 30 million users worldwide. It is a portable tool that requires no installation.

Advanced IP Scanner

As for the tool’s functionality, it takes an IP address range as input but you can also supply a text file with a list of IP addresses. The results you get from this tool are impressive. You get, of course, the list of IP addresses that responded but you also get their corresponding hostname, MAC address and network interface vendor. For each responding Windows host, you also get a live list of its network shares. By live, I mean that you can click any share to open it on your computer—provided that you have the proper access rights. You can also start a remote control session with any discovered Windows host using either RDP or Radmin or even remotely turn a computer off.

4. Network Pinger

Network Pinger is another free Windows tool. Its interface is one of the most intuitive you can find. The tool’s performance is one of the best you can find. It was clearly optimized for the best possible performance. This tool can send 1000 pings in just 35 ms. This is fast; very fast. Network Pinger features several built-in tools. There’s automated mass ping, traceroute, port scanning, WMI, DNS and Whois queries, an IP calculator and converter, and many more.

Network Pinger Screenshot

Network Pinger makes great use of its graphical user interface and is loaded with visual features. For example, it can build live charts as it performs a ping sweep displaying a visual rendition of the important statistics such as a pie chart depicting the responding vs non-responding hosts or a graph showing average response times.

5. NetScan Tools

There are two different versions of NetScan Tools, a paid one called NetScan Tools Pro Edition and a free, ad-supported one called NetScan Tools Basic Edition with a reduced feature set. Both are toolsets which include multiple utilities and both include an IP address scanning tool called Ping Scan.

NetScan Tools Basic - Ping Scanner

NetScan Tools’ Ping Scan takes an IP address range as input, like most other IP address scanning tools. It scans the provided IP addresses and returns a list of all the scanned IP addresses with their hostname (when resolvable), average response time and a status in text form. Other useful tools in NetScan Tools include DNS tools, Ping, Graphical Ping, Traceroute, and Whois. If all you need is the IP address scanning functionality, go with the free Basic Edition.

6. MiTeC Network Scanner

Last on our list is a free tool called the MiTeC Network Scanner. This is another multi-use tool. It boasts a powerful IP address scanning function which can find any responding host in the specified range. The software will list each found device’s MAC address, hostname, and response time. In addition to just pinging each host, this tool can also poll SNMP-enabled devices and list their interfaces. It can also identify Windows computers and let you see their shares, remotely shut them down, perform remote execution, and more.

MiTeC Network Scanner Screenshot

But back to IP address scanning, the results show up as a table on the software’s dashboard. They can then be exported to a CSV file to be used with another tool. The tool will run on most modern versions of Windows—either workstation or server—since Windows 7. As for the tool’s other advanced features, there are simply too many to mention them all. It includes, for instance, a Whois function and a DNS resolution function.

Read Using Nmap For Ping Scan + Other Tools to Use by Renaud Larue-Langlois on AddictiveTips – Tech tips to make you smarter

How to Use Nmap For Traceroute to Discover Network Paths

Traceroute—or tracert if you’re living in the Windows world—is, together with ping, one of the most-used network troubleshooting tools. As its name implies, traceroute will trace the route from one computer or network-connected device to another. It’s a very useful tool that will not only test the connectivity to a host but also reveal a lot about the path to get there and some issues that may be plaguing it. Although traceroute is a great tool, it’s also a rather limited tool and does nothing but tracing routes. On the other hand, Nmap, another well-know utility—albeit not as much—which is coming from the Linux world provides a way to trace the route to a host but it also offers a lot of extra functionality. In fact, Nmap’s primary uses are discovering networks and scanning ports. Today, we’re having a look at using Nmap for traceroute.

Before we get to the actual explanation of how to use Nmap for traceroute, we’ll begin by first introducing the traceroute utility. Knowing what it is but, more importantly, how it works will help you better understand how Nmap performs the same kind of task. Next, we’ll briefly introduce the Nmap utility, discussing what it is, where it’s coming from and what it can be used for. We’ll follow that by discussing how to use Nmap for traceroute and explain how Nmap actually performs the trace. You’ll see that it is radically different from traceroute’s approach. And finally, we’ll have a brief look at some other tools you can use to trace the route between two devices. As you’ll see, there are plenty of options available.

About Traceroute

The definition of traceroute from Wikipedia is very clear: “Traceroute is a computer network diagnostic tool for displaying the route (path) and measuring transit delays of packets across an Internet Protocol (IP) network”. As good as that description is, it kind of fails to give much detail about what it is concretely and how it works. Let’s explain. Traceroute will tell you the IP address of every router located between your computer and the remote computer. But that’s not all, traceroute will also report on the network delay between each of these routers.

Traceroute is a very old tool. The first version was released back in 1987. This is over 30 years ago; an eternity in computer years. It is also a very common tool. First introduced on the Unix operating system, it is now present on every Unix-like OS including Linux and Mac OS. It even eventually got ported to the Windows platform where it was renamed to tracert because of the original 8-character limit on filenames in Windows.

Traceroute is a tool that every network administrator should understand and use. Unfortunately, many of its users don’t completely understand how it works and can, therefore, run into some of the utility’s pitfalls. For example, the path could be asymmetrical with traffic in taking a different route than traffic out and the tool wouldn’t see it.

Traceroute’s Operation

First, a few prerequisites. The Internet—or any IP network, for that matter—is made of interconnected routers. Routers talk to each other, exchanging information about what networks they know how to reach. They use this information to build routing tables. Whenever a data packet reaches a router, it looks up the destination in its routing table and proceeds to send it to the next router on the path. The router only knows about the next router and has no idea of the complete path. It doesn’t have to.

In order to limit propagation delays due to excessive routing hops, the header of every data packet contains a field of data called the TTL or Time To Live. This is a true misnomer as the value of the TTL has nothing to do with time but everything to do with distance instead. When a packet leaves its origin, the TTL is set to 32. From then on, every router that handles it along the path to the destination decrements the TTL by one before routing the packet. When the TTL value reaches zero, a router will not route the packet and will instead return an ICMP “Time Exceeded” message back to the packet’s origin.

Tracert Sample Run

Traceroute exploits this error detection and reporting system to perform its feat. Traceroute will first send a packet to the destination with the TTL set to 1. The very first router on the path will decrement the TTL and return the Time Exceeded message, allowing traceroute to learn about the IP address of that first router–or hop, as it is often referred to. Traceroute will then send another packet with the TTL set to 2 and learn about the second hop. And it will keep doing that, incrementing the TTL each time until it eventually gets a response from the destination, telling it that it has been reached.

Traceroute will typically also measure the time it takes to get each successive response, allowing it to build a table of the response time for each hop. It will often also do a DNS lookup of each hop’s IP address to display each host’s FQDN instead of just their IP addresses in its results.

Traceroute’s Shortcomings

For the previous explanation, you’ll have figured that, due to the way it operates, traceroute will only show you the path towards the destination. It has, however, no way of discovering the return path. That could be a problem, especially in situations where the return path is somehow delayed. Traceroute measures the time it takes to get each response but it has no way of knowing if any delays were encountered on the way out to the destination or on the way back, potentially providing misleading results.

There’s also a potential problem with destinations that are load-balanced on several hosts. Nothing guarantees a traceroute user that each successive packet is sent to the same load-balanced host. And if the two hosts are in different locations, this could lead to inaccurate results.

Finally, for obvious security reasons some routers are configured not to respond to the type of requests that traceroute uses. This won’t stop traceroute from functioning and the utility will simply ignore those hops and report them as unreachable. However, some more advanced tools—such as Nmap—can use different types of packets for their path discovery, thereby mitigating the risk of unresponsive hops.

Introducing Nmap

Nmap, which stands for “Network Mapper” is a free and open-source utility for network exploration and security auditing. It was designed to rapidly scan large networks but it works just as well against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap is primarily used for security audits but many systems and network administrators use it for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

Here’s an overview of all that Nmap can be used for:

  • Host discovery
  • Port discovery / enumeration
  • Service discovery
  • Operating system version detection
  • Hardware (MAC) address detection
  • Service version detection
  • Vulnerability / exploit detection, using Nmap scripts (NSE)
  • Network path discovery (traceroute)

Nmap was created by Gordon Lyon (A.K.A. Fyodor Vaskovich) and originally distributed under the GNU Public License (GPL). Unsatisfied with some of the terms of the license, the authors eventually added clarifications and specific interpretations to the license where they felt the GPL was unclear or lacking.

Using Nmap For Traceroute

Using Nmap to perform a traceroute is super easy. All you have to do is add the –traceroute option to the command. For instance:

nmap --traceroute

The –traceroute option can be used together with most types of Nmap scans except connect scans (-sT) and idle scans (-sI). The tracing is performed post-scan using information gleaned from the scan results to determine the port and protocol most likely to reach the target. All traces use Nmap’s dynamic timing model and are performed in parallel.

Contrary to the original traceroute utility described above, Nmap’s traceroute starts with a high TTL and then decrements it until it reaches zero. Doing it backwards (as compared with traceroute) lets Nmap employ clever caching algorithms to speed up traces over multiple hosts. On average Nmap sends 5 to 10 fewer packets per host, depending on network conditions.

A Few Other Traceroute Tools You May Want To Try

Traceroute (or tracert) and Nmap are not the only tools you can use to trace network paths. In fact, many tools are available from various vendors. Some claim to do it faster, some will succeed where others fail by using different ports and packet types to do their thing. Let’s review a few of the best traceroute tools we could find. It will give you an idea of what’s available.

The last two tools on our list are online tools. They essentially perform the same type of test as any traceroute, but they do it from an origin on the Internet. Most such services let you select the point of origin with the best ones offering options in multiple countries. Their primary use is in identifying how website users reach your site.

1. Traceroute NG From SolarWinds (FREE DOWNLOAD)

SolarWinds is a well-known name in the field of network management tools. The company makes some of the best monitoring tools starting with its flagship product, the Network Performance Monitor, a complete network monitoring solution. SolarWinds also has a solid reputation for making great free tools that address specific needs of network administrators. Traceroute NG is one such tool.

Traceroute NG leverages the SolarWinds Netpath technology to offer continuous TCP and ICMP tracing. It claims to be faster than other traceroute utilities and to return results in mere seconds. Of course, this mostly depends on the network.

Traceroute NG Screenshot

But Traceroute NG not only improves on the speed of traceroute. It also returns quite a bit more information, giving you a deeper insight into the situation. For each hop, the tool will use ping to return the packet loss percentage, the current and average response time as well as a latency bar graph. Also important, Traceroute NG will use a reverse DNS lookup to find and display the Fully Qualified Domain Name, or FQDN, of each hop.

Another great feature of Traceroute NG is its automatic detection of path changes. If there are multiple paths to a given host, the tool will figure it out and display each path individually. This is very useful when troubleshooting load-balanced environments. The tool will also let you choose to perform the test using either TCP or ICMP packets. This can be useful if some device along the path blocks ICMP, for example. And last but not least, this tool will write the results of its test to a .txt log file.

Traceroute NG runs on Windows only but, deceptively, it’s not a true Windows application. While it does run under the Windows operating system and is displayed within a window, it is mostly a text-based tool. But then again, would a GUI increase the tool’s usefulness? Probably not.

The tool, which is downloaded as a .zip file requires no installation but it relies on Winpcap which must be installed if it’s not already present on your computer. Traceroute NG, however, will detect its absence when it starts and will automatically launch the Winpcap installer which is included in the .zip file.

2. Open Visual Traceroute

If what you’re after is a true GUI-based traceroute tool, Open Visual Traceroute might be just what you need. The tool, which is available for Windows, most flavours of Linux, or Mac OS is simply amazing. And to make thing even better, the tool is free and open-source, released under the LGPL V3 license.

Open Visual Trace Route

The main component of this software is the Visual Traceroute per se. It is a visual, GUI-based utility that will let you see on a World 3D map–or 2D if you prefer–what path the data is taking to go from your computer to the target host. The map can be zoomed and scrolled at will, providing any level of detail you might want.

Open Visual Traceroute also comes with a few more tools, making it an even more useful product. First, there’s a “packet sniffer”. It’s not a packet sniffer like Wireshark, though. Its purpose is solely to allow you to see what data is being sent back and forth from the local system to the Internet. There is also a Whois feature that will pull information about domain names from the Internet.

3. MTR (My Traceroute)

MTR was first developed by someone named Mike and the acronym stood for Mike’s Traceroute. Someone else has taken over and renamed it to My Traceroute but it’s still the same product. The software has been around since 1997. If its longevity is a testament to its quality, this ought to be a pretty good tool.

My Traceroute GUI Interface

And it is. Functionally, it is almost identical–or at least very similar–to Traceroute NG reviewed above. The main differences between the two are that while the former is a Windows application, MTR runs on Linux and can be used with a GUI or from the command line.

Concretely, MTR combines the functionality of traceroute and ping in one network diagnostic tool. When you run the software, it first operates exactly like traceroute to learn the network path to a specified host. Once it knows the path, the tool can go a bit further. It will send a sequence of ICMP ECHO requests to each hop to measure the quality of the link to each router. And as it does that, it displays the measured statistics on the screen. In fact, it prints it to the standard output, meaning that it can be redirected to a file.

4. Monitis Online Visual Trace Route Tool (Online Tool)

Monitis is a TeamViewer company that makes a well-known website performance monitoring platform. The cloud-based virtual service will allow you to monitor your websites, servers, applications, and more anytime and from anywhere. With close to a quarter-million users, this is a rather popular platform.

Like many other vendors, Monitis has a few free tools available on their website. The Online Visual Trace Route, despite the unusual spelling, is exactly what it says it is. It will trace the route between Monitis’ server and the host you specify and plot it on a map of the World. Unfortunately, the map display rarely includes all hops. This is normal as the tool won’t be able to geolocate every hop and some hos won’t respond at all. And this is true of any such tool, not just this one.

Monitis Online Visual Trace Route

If you scroll down the screen, you’ll see that the tool also present the information in a tabular form, much like a traditional traceroute tools would. You might also notice that, at the top of the tabular display, there are three tabs labelled United States, Europe, and Asia/Pacific. You’d be lead to think that clicking on a tab runs the test from a different source located in those three geographic areas but, looking at the results, it doesn’t seem to be the case. Both the table and the map display change from one tab to the other but I haven’t been able to figure out how they operate.

5. G-Suite.Tools Visual Traceroute (Online Tool)

Don’t let yourself get fooled by its name, G-Suite.Tools is in no way related to Google. The website proposes a handful of useful network and Internet tools. Among those is a visual traceroute tool. Using it is pretty simple. You simply type in an IP address or FQDN and click the TRACE button. Pretty soon, a smallish map on the page will visually display the path to the specified host.

G-Suite.Tools Visual Traceroute

Like most other similar tools, a table is available. It shows IP address and FQDN (when resolvable) as well as the cumulative round-trip time to each hop. One thing we particularly loved about this tool–and it is particularly well-suited for newcomers–is the wealth of information about the traceroute process that can be found on the page.

While you’re there, G-Suite.Tools has a few other tools you might want to use. Each can be easily accessed from a ribbon menu at the top of the page. There’s DNS Lookup, Whois lookup, ping, my IP address, IP address location as well as a tool to verify the operation of email addresses.

Read How to Use Nmap For Traceroute to Discover Network Paths by Renaud Larue-Langlois on AddictiveTips – Tech tips to make you smarter

The 10 Best Network Scanner Tools and Software to Use

If you need to know what’s currently connected to your network, your best bet is to scan it and see what actually responds. While this can be done manually, on all but the smallest of networks, this can quickly turn into a considerable—and time-consuming—endeavour. Fortunately just as there are a million reasons why you’d need to scan your network, there are also a million products that can help you do just that. So many options are available that picking the best tool for the purpose can be an overwhelming challenge. Today, we’re having a look at some of the best network scanner tools.

We’ll begin our discussion by having a look at network scanning. We’ll try to cover the how and the why of it. Next, we’ll be introducing ping. After all, this is by far the most useful tool for network scanning and many integrated network scanning tools use it in the background or they use similar techniques. Knowing ping’s inner workings will help you better understand how network scanners operate. And last but not least, we’ll review some of the very best network scanning tools.

Network Scanning 101

Other than the pure fun and enlightenment of knowing what IP addresses are in use, there are several reasons one would want to scan IP addresses. First and foremost is security. Scanning IP addresses on a network allows you to quickly discover unauthorized devices. These could, for instance, be devices connected by malicious users to spy on your organization.

But even well-intentioned users can sometimes wreak havoc by connecting their personal devices. I recall that user who prevented many of his colleagues from accessing the corporate network when he connected his home Internet router to it. He just needed a couple of extra ports to connect an additional test computer and thought he could use the switch built into his router. Unbeknownst to him, the router started issuing IP addresses from its built-in DHCP server. And several of his colleagues got assigned erroneous IP addresses.

Other than for security reasons, scanning IP addresses is also the first step in any attempt at IP address management. While many—if not all—IP address management (IPAM) tools do include some form of IP address scanning, many choose to manage IP address using a manual process instead of an integrated tool. In these situations, IP address scanning tools become a necessity.

For people without any kind of formal IP address management process, scanning IP addresses is possibly even more important. It will often be the only way to ensure that there are no IP address conflicts. It can, in fact, be considered a rather crude way of pseudo-managing IP addresses.

Introducing Ping

No matter what you need for scanning IP addresses is, most tools are based on Ping. Let’s have a look at this ubiquitous albeit antique utility. Ping was created out of necessity back in 1983 proving once more that necessity is the mother of invention. Its developer needed a tool to help in debugging an abnormal network behaviour he was observing. Its name refers to the sound of sonar echoes as heard in submarines. Today, ping is present on almost every operating system, yet its implementation varies somewhat between platforms. Some versions are offering multiple command-line options which can include parameters such as the size of each request’s payload, the total test count, the network hops limit, or the interval between requests. Some systems have a companion Ping6 utility that serves the exact same purpose but uses IPv6 addresses.

Here’s a typical use of the ping command on Linux (the “-c 5” option below tells ping to stop after five repetitions, mimicking the Windows default behaviour):

$ ping -c 5

PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=56 time=11.632 ms
64 bytes from icmp_seq=1 ttl=56 time=11.726 ms
64 bytes from icmp_seq=2 ttl=56 time=10.683 ms
64 bytes from icmp_seq=3 ttl=56 time=9.674 ms
64 bytes from icmp_seq=4 ttl=56 time=11.127 ms

--- ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 9.674/10.968/11.726/0.748 ms

Ping’s Inner Workings

Ping is a pretty simple utility. All it does is sending ICMP echo request packets to the target and waiting for it to send back an ICMP echo reply packet. This process is repeated a certain number of times—five by default under windows and until it is manually stopped by default under most Unix/Linux implementations. Once the command terminates, response statistics are compiled and displayed. The utility calculates the average delay between the requests and their respective replies and displays it in its results. On most *nix variants, it will also display the value of the replies’ TTL (time to live) field, giving an indication of the number of hops between source and destination.

For the command to work, the pinged host must abide by RFC 1122. The standard specifies that any host must process ICMP echo requests and issue echo replies in return. And while most hosts do reply, some disable that functionality for security reasons. Firewalls also often block ICMP traffic. To circumvent this, the better IP address scanning tools can use a type of packet different from ICMP to check if an IP address is responding. Pinging a host which does not respond to ICMP echo requests will provide no feedback, which is exactly like pinging a non-existent IP address.

The Best Network Scanner Tools

This list includes some of the best tools we could find for network scanning. We’ve incorporated tools for most platforms so that whether you’re a Windows, Linux or Mac user, there’s something in there for you, Some of the tools on our list are pure network scanners while others are broader tools that do include a scanning module.

1. SolarWinds IP Address Tracker (FREE DOWNLOAD)

First on our list is a great tool from SolarWinds, a company that is well-known in the network administration field for making some of the best tools and also for publishing many free tools, each addressing a specific need of network administrators. Together with free tools such as the Advanced Subnet Calculator or the Kiwi Syslog Server, the SolarWinds IP Address Tracker is one such free tool.

SolarWinds IP Address Tracker Screenshot

The SolarWinds IP Address Tracker can be used to manage and track up to 254 IP addresses. This limitation makes it a fine tools for smaller installations. It will track IP address availability and alert you of an upcoming shortage of available IP addresses. It will also automatically detect IP address conflicts and alert you when it finds one. This feature-limited tool won’t interact with your DNS and DHCP servers, though. You’ll have to manually fix any issues it finds. It’s got an attractive dashboard-based user interface with colour-coded status and it also features historical trends and events reports.

2. SolarWinds IP Address Manager (FREE TRIAL)

For a more complete, enterprise-grade tool, the SolarWinds IP Address Manager might be just what you need. It starts where the IP Address Tracker stops. This is a full-featured IP address management tool that has none of the limitations of the free tool. This one can manage up to 2 million IP addresses, enough for the biggest environments.

SolarWinds IP Address Manager Screenshot

Although it doesn’t include DHCP or DNS capabilities, the IP Address Manager will interact with your existing DNS and DHCP servers, making it a true DDI solution. Of course, the tool features automatic IP address tracking. It wouldn’t be in this list if it didn’t. It will automatically monitor your subnets so that you always know how IP addresses are used. The system will alert you of IP address conflicts, depleted scopes, and mismatched DNS records.

The tool integrates with DHCP servers from Microsoft, Cisco, and ISC and will work with BIND and Microsoft DNS servers. Pricing starts at $1 995 and varies according to the number of managed addresses. A free 30-day trial is available if you want to test the product before purchasing it.

3. Angry IP Scanner

The Angry IP Scanner is a multi-platform tool that will run on Windows, Mac OS, and Linux. This tool can scan complete networks or subnets but also an IP addresses range or a list of IP addresses in a text file. It uses Ping to find IP addresses that are responding but it will also resolve hostnames and MAC address vendors as well as provide NetBIOS information for hosts that support it. This tool is also a port scanner and can list the open ports on each responding host.

Angry IP Scanner Screenshot

The Angry IP scanner is a GUI-based tool but there’s also a command-line version that you can use. This is useful for including the tool’s functionality in your scripts. Results are displayed on the screen in a table form and can be exported to several file formats such as CSV or XML.

4. Advanced IP Scanner

The Advanced IP Scanner has an interesting twist. The tool runs on Windows and is made for Windows. More about all that in a moment. This software simply takes an IP address range as its input. You could also supply the tool with a text file containing a list of IP addresses. The tool will scan the addresses and provide you with a list of those addresses that respond. But you don’t only have IP addresses, the tool will also display each host’s name, MAC address and network interface vendor.

Advanced IP Scanner Screenshot

For Windows hosts that the tool discovers, you get much more functionality. For instance, the tool will list network shares. And clicking any share opens it on your computer. You can also start a remote control session using either RDP or Radmin or remotely turn a Windows computer on–provided it has wake on LAN–or off.

5. SoftPerfect Network Scanner

The SoftPerfect Network Scanner will scan a range of IP addresses and list those that respond along with their MAC address, hostname and response time. It can also be used as a port scanner and will optionally list what IP ports are open on each host.

SoftPerfect Network Scanner Main Window

Just like our previous entry, additional functionality is available for Windows hosts. This tool will, for instance, display all shares on each host. Even hidden shares will be displayed. It can also list what user account(s) are currently connected to each Windows computer. Furthermore, the tool will let you remotely access computers and run commands remotely. And finally, you can broadcast messages to the discovered computers.

6. LizardSystems Network Scanner

The main difference with the LizardSystems Network Scanner is that it is browser-based. It runs only on Windows and requires Internet Explorer. As for its features, they leave nothing to be desired. The tool is easy to use, it offers great performance thanks to its use of multi-threading, and it’s scalable. There’s actually no limit to the number of addresses you can scan.

LizardSystems Network Scanner Screenshot

There are also quite a few advanced features such as results filtering or customizable status checks that will check for any port you specify. It will also retrieve NetBIOS information as well as verify access rights to remote resources. And if you want to manipulate the results, you can export them to HTML, XML, or text.

7. LanScan

LanScan from Iwaxx is available from the Apple app store. It’s a simple application that does just what its name implies: scan a LAN. It is a free, simple and efficient IPv4-only network scanner. It can discover all active devices on any subnet. It could be the local one or any other subnet that you specify. In fact, it is quite flexible when it comes to specifying what to scan and it can be as small as a single IP address and as large as a whole network. A unique characteristic of this product is how it will use ARP to scan a local subnet and use ping, SMB, and mDNS packets to scan external and public networks.

LanScan Mac Screenshot

This product has several advanced features. It will, for instance, automatically detect configured interfaces. It will also display the IP address, MAC address, hostname and interface card vendor associated with each discovered IP address. It will also discover SMB domains if they are in use and will do hostname resolution using either DNS, mDNS for Apple devices or SMB for Windows devices.

In-app purchase will let you upgrade the app to the pro version which has only one extra feature: it will display the full hostname of each discovered host. The free version will only display four full hostnames and the first 3 characters of the remaining ones.

8. IP Scanner For Macintosh

The IP Scanner for Macintosh will scan your LAN to identify what IP addresses are in use and identify all computer and other devices on the network. The product is free for use on small home networks of up to six devices and paid Home and Pro versions are available for larger networks. The tool yields powerful results yet it is easy and intuitive to use. Local networks are scanned automatically and custom IP address ranges can be added and scanned manually

IP Scanner for Macintosh Screenshot

The IP Scanner for Macintosh is designed to allow you to customize your scan results. Once a device has been identified, you may assign it a custom icon and name to more easily recognize it at a glance. The tool will let you sort the results list by device name, IP address, MAC address or Last Seen timestamp. It can also give you an overview of the current network or show you changes over time.

The results display is highly customizable and you can adjust columns, text size, bezel transparency, and more. Double-clicking a device gives you more information and allows you to customize its appearance. Right-clicking a device will let you initiate a ping sequence or run a port scan of it.

9. Bopup Scanner

It is unexpected to see a product from B-Labs on this list as the company usually specializes in messaging systems. In fact, its Bopup Scanner is its only network administration tool. It is a free tool for the Windows operating system.

BopUp Scanner Screenshot

This tools will scan your network and output a list of all connected devices. It displays IP addresses, hostnames, and MAC addresses. It will also tell you if a web server is responding on each host it tests. You can drill down on each host to view more information such as a list of available shares. Option-wise, the tool will let you specify exactly what IP addresses to scan and you can also set the response timeout to prevent unresponsive IP addresses from slowing down the process.

10. MyLanViewer Network/IP Scanner

The MyLanViewer Network/IP Scanner is a free IP address scanner for Windows whose main differentiating factor is how results are displayed. Instead of a table with a list of IP addresses and corresponding parameters, this tool presents the results in a hierarchical way. It looks like the left pane of a Windows Explorer window.

MyLANViewer IP Scanner

This tool will scan the whole network where the computer used to run it is connected. It will show each responding host as a node on a tree structure. Clicking the plus sign next to any entry will reveal more information about it. It displays the same complement of data as most other tools.

Read The 10 Best Network Scanner Tools and Software to Use by Renaud Larue-Langlois on AddictiveTips – Tech tips to make you smarter

6 Best ITIL Security Management Tools in 2019

ITIL is a relatively widespread and very thorough framework for IT service management. Originally from the UK and designed to serve both the government and private businesses, it is a set of highly structures processes, recommendations and practices. It is separated into several specific areas with security management being nothing more than one of many aspects of it. But since security is such an important topic—especially when considering the modern threat scene and how organizations are constantly being targeted by unscrupulous hackers—we’ve decided to have a look at some of the very best ITIL security management tool.

We’ll start off by explaining in greater details what ITIL is before moving on to the specific area of ITIL security management. Next, we’ll introduce the concept of Security Information and Event Management, describe what it consists of, and explain how it can relate to ITIL security management. We’ll finally get to the interesting part and present a quick review of some of the best ITIL security management tool, describing each tool’s best features and functionality.

ITIL In A Nutshell

ITIL, which used to stand for Information Technology Infrastructure Library, started way back in the 80s as an effort from the UK Government’s Central Computer and Telecommunications Agency (CCTA) to develop a set of recommendations and standard practices for IT service management in the government and the private sector as well. It originated as a collection of books, each covering a specific practice within IT service management and was built around a process model-based view of controlling and managing operations.

Initially composed of over 30 volumes, it was later somewhat simplified and services were grouped, reducing the number of volumes to 5. It is still in constant evolution and the latest version’s Foundation book was published last February, ITIL groups various elements of IT service management into practices, with ITIL Security Management being just one of many.

About ITIL Security Management

As for the Security Management ITIL process, it “describes the structured fitting of information security in the management organization.” It is largely based on the code of practice for information security management system (ISMS) now known as ISO/IEC 27001.

The main goal of security management is, obviously, to ensure adequate information security. And in turn, the primary goal of information security is to protect information assets against risks, Thereby maintaining its value to the organization. Typically, this is expressed in terms of ensuring its confidentiality, integrity and availability, but also with related properties or goals such as authenticity, accountability, non-repudiation and reliability.

There are two primary aspects of security management. First and foremost are the security requirements which could either be defined within service level agreements (SLA) or other requirements specified in contracts, legislation as well as internal or external policies. The second aspect of it is simply basic security that guarantees management and service continuity. It is somewhat related to the first aspect as it is necessary to achieve simplified service-level management for information security.

While ITIL security management is a broad concept, it is somewhat more circumscribed in the context of software tools. When talking about security management tools, several types of tools can come to mind. One type, however, seems to be more interesting than the others: Security Information and Event Management (SIEM) tools.

Introducing Security Information and Event Management (SIEM)

In its simplest form, Security Information and Event Management is the process of managing security information and events. Concretely, a SIEM system does not provide any real protection. This is different, for instance, from anti-virus software which actively stops viruses from infecting protected systems. SIEM’s primary purpose is to make the life of network and security administrators easier. A typical SIEM system simply collects information from various systems—including network devices and other detection and protection systems. It then correlates all this information, assembling related events, and reacts to meaningful events in various ways. SIEM systems also include some form of reporting and, more importantly, dashboards and alerting subsystems.

What’s in a SIEM System

SIEM systems vary greatly from vendor to vendor. There are, however, a certain number of components to them that seem to be present in many of them. They won’t all include all of those components and, when they do, they could function differently. Let’s review some of the most important—and most common—components of SIEM systems in greater detail.

Log Collection And Management

Log collection and management is without a doubt the most important component of a SIEM system. Without it, there is no SIEM. The first thing a SIEM system has to do is acquire log data from a variety of different sources. It can either pull it—using, for instance, a locally installed agent—or different devices and systems can push it to the SIEM tool.

Since each system has its own way of categorizing and recording data, the next task of the SIEM tool is to normalize data and make it uniform, no matter what its source it is coming from. How that step is done varies mainly according to the original format of the received data.

Once it is normalized, the logged data will often be compared against known attack patterns in an attempt to recognize malicious behaviour as early as possible. Data can also be compared to previously collected data, thereby helping build a baseline that will further enhance abnormal activity detection.

Event Response

It is one thing to detect event but, once an event is detected, some response process must be started. This is what the event response module of the SIEM tool is all about. The event response can take many forms. In its most basic implementation, an alert message will be generated on the system’s dashboard. Email or SMS alerts can also be generated as the primary response.

However, the best SIEM systems go a step further and they can typically initiate some sort of remedial process. Again, this is something that can take many forms. The best systems have a complete incident response workflow system that can be customized, providing exactly the type of response you need. The incident response does not have to be uniform and different events—or different types of events—can trigger different processes. The top SIEM tools can give you complete control over the incident response workflow.


It’s one thing to have log collection and management and to have an event response system in place, but you also need another important element: reporting. Even though you might not know it just yet, you will need reports; plain and simple. Your organization’s executives will need them to see for themselves that their investment in a SIEM system is paying off. But that’s not all, you might also need reports for conformity purposes. Complying with standards such as PCI DSS, HIPAA, or SOX is much easier when your SIEM system can generate conformity reports.

Reports may not be at the core of every SIEM system but they are still one of their essential components. Actually, reporting is one of the main differentiating factors between competing systems. Reports are like candies, you can never have too many. When evaluating systems, look at what reports are available and how they look like and keep in mind that the best systems will let you create custom reports.


The last important component of most SIEM tools is the dashboard. It is important as it is your window into the status of your SIEM system and, by extension, into the security of your IT environment. We could have said dashboards—with an S—just as well as there could be multiple dashboards available in some systems. Different people have different priorities and interests and the perfect dashboard for a network administrator will be different from that of a security administrator. Likewise, an executive will need a completely different dashboard as well.

While we can’t evaluate SIEM systems just on the number of dashboards they offer, you need to pick one that has the dashboard(s) you need. This is definitely something you’ll want to keep in mind as you evaluate vendors. And just like it is with reports, the best tools allow you to build customized dashboards to your liking.

Using SIEM As An ITIL Security Management Tool

No matter how complex the concept of security management can be in the context of the ITIL framework. It actually sums up to one primary goal: ensuring that data is secure. And although the whole IT security management paradigm has several different aspects, when it comes to the software tools you can use, there doesn’t appear to be an ITIL security management software package. On the other hand, there are countless offerings from various software publishers of tools aiming at ensuring the security of your data.

We’ve also seen how SIEM tools have a similar goal of preserving data security. It is, in our view, that common goal that makes them one of the best types of tools for IT security management. Keep in mind, however, that the practice of ITIL security management goes far beyond SIEM and, although they are a good starting point, they are only part of the solution, albeit an important one.

The Best ITIL Security Management Tools

Since we’ve established that the best ITIL security management tools were indeed SIEM tools, we’ve searched the market looking for the best of them. We found a great variety of tools from some of the best-known organizations. All of the tools on our list have all the major features you’d expect from a security management tool. Picking the best one for your particular need is often a matter of personal taste. Or perhaps one of the tools has a unique feature that appeals to you.

1. SolarWinds Security Event Manager (FREE TRIAL)

SolarWinds is a common name in the network monitoring world. Its flagship product, called the Network Performance Monitor is one of the best SNMP monitoring tool available. The company is also known for its numerous free tools such as its Advanced Subnet Calculator or its Free SFTP Server.

When it comes to SIEM, SolarWinds’ offering is the SolarWinds Security Event Manager. Formerly called the SolarWinds Log & Event Manager, the tool is best described as an entry-level SIEM tool. It is, however, one of the best entry-level systems on the market. The tool has almost everything you can expect from a SIEM system. This includes excellent log management and correlation features as well as an impressive reporting engine.

SolarWinds Security Event Manager Screenshot

FREE TRIAL: SolarWinds Security Event Manager

Official Download Link:

The tool also boasts excellent event response features which leave nothing to be desired. For instance, the detailed real-time response system will actively react to every threat. And since it’s based on behaviour rather than signature, you’re protected against unknown or future threats and zero-day attacks.

On top of its impressive feature set, the SolarWinds Security Event Manager’s dashboard is possibly its best asset. With its simple design, you’ll have no trouble finding your way around the tool and quickly identifying anomalies. Starting at around $4 500, the tool is more than affordable. And if you want to try it and see how it works in your environment, a free fully functional 30-day trial version is available for download.

Official Download Link:

2. Splunk Enterprise Security

Splunk Enterprise Security—or Splunk ES, as it is often called—is possibly one of the most popular SIEM systems. It is particularly famous for its analytics capabilities. Splunk ES monitors your system’s data in real-time, looking for vulnerabilities and signs of abnormal and/or malicious activity.

Splunk ES Risk Analysis

In addition to great monitoring, security response is another of Splunk ES’ strong suits. The system uses what Splunk calls the Adaptive Response Framework (ARF) which integrates with equipment from more than 55 security vendors. The ARF perform automated response, speeding up manual tasks. This will let you quickly gain the upper hand. Add to that a simple and uncluttered user interface and you have a winning solution. Other interesting features include the Notables function which shows user-customizable alerts and the Asset Investigator for flagging malicious activities and preventing further problems.

Splunk ES is truly an enterprise-grade product and that means that it comes with an enterprise-sized price tag. Pricing information is unfortunately not readily available from Splunk’s web site. You’ll need to contact the sales department to get a quote. Contacting Splunk will also allow you to take advantage of a free trial, should you want to try the product.

3. RSA NetWitness

Since 2016, NetWitness has focused on products supporting “deep, real-time network situational awareness and agile network response”. After being acquired by EMC which then merged with Dell, the NetWitness brand is now part of the RSA branch of the corporation. This is good news as RSA is a highly respected name in IT security.

RSA NetWitness is ideal for organizations seeking a complete network analytics solution. The tool integrates information about your organization which it uses to help prioritize alerts. According to RSA, the system “collects data across more capture points, computing platforms, and threat intelligence sources than other SIEM solutions”. The tool also features advanced threat detection which combines behavioral analysis, data science techniques, and threat intelligence. And finally, the advanced response system boasts orchestration and automation capabilities to help get rid of threats before they impact your business.

RSA NetWitness

One of the main drawbacks of RSA NetWitness as reported by its user community is that it’s not the easiest to set up and to use. There is, however, comprehensive documentation available which can help you with setting up and using the product. This is another enterprise-grade product and, as it is often the case, you’ll need to contact sales to get pricing information.

4. ArcSight Enterprise Security Manager

ArcSight Enterprise Security Manager helps identify and prioritize security threats, organize and track incident response activities, and simplify audit and compliance activities. It used to be sold under the HP brand but ArcSight has now been merged into Micro Focus, another HP subsidiary.

Having been around for more than fifteen years, the ArcSight Enterprise Security Manager is another immensely popular SIEM tools. It compiles log data from various sources and performs extensive data analysis, looking for signs of malicious activity. To make it easy to identify threats quickly, the tool lets you view analysis results in real-time.

ArcSight Command Center

As for the product’s features, it leaves nothing to be desired. It has powerful distributed real-time data correlation, workflow automation, security orchestration, and community-driven security content. The ArcSight Enterprise Security Manager also integrates with other ArcSight products such as the ArcSight Data Platform and Event Broker or ArcSight Investigate. This is another enterprise-grade product and as such, pricing information is not readily available. It will require that you contact the ArcSight sales team to get a customized quote.

5. McAfee Enterprise Security Manager

McAfee is definitely another household name in the security industry. It is, however, better known for its virus protection line of products. Unlike other products in this list, the McAfee Enterprise Security Manager is not just software, it is an appliance that you can get either as a piece of hardware or in a virtual form.

In terms of its analytics capabilities, the McAfee Enterprise Security Manager is considered to be one of the best SIEM tools by many. The system collects logs across a wide range of devices and its normalization capabilities are second to none. The correlation engine easily compiles disparate data sources, making it easier to detect security events as they happen.

McAfee Enterprise Security Manager

But to be true, there’s more to this McAfee solution than just its Enterprise Security Manager. To get a complete SIEM solution you also need the Enterprise Log Manager and Event Receiver. Fortunately, all products can be packaged in a single appliance. And for those of you who may want to try the product before you buy it, a free trial is available.

6. IBM QRadar

IBM is without a doubt one of the best-known names in the IT industry. It is no surprise then that the company has managed to establish its SIEM solution, IBM QRadar as one of the best products on the market. The tool empowers security analysts to detect anomalies, uncover advanced threats and remove false positives in real-time.

IBM QRadar boasts a suite of log management, data collection, analytics, and intrusion detection features. Together, they help keep your network infrastructure up and running. There is also risk modelling analytics that can simulate potential attacks.

IBM QRadar Dashboard

Some of IBM QRadar’s key features include the ability to deploy the solution on-premises or in a cloud environment. It is a modular solution and one can quickly and inexpensively add more storage or processing power as their needs grow. The system uses intelligence expertise from IBM X-Force and integrates seamlessly with hundreds of IBM and non-IBM products.

IBM being IBM, though, you can expect to pay a premium price for its SIEM solution. But if you need one of the best SIEM tools on the market and a tool which is backed by a solid organization, IBM QRadar might very well be worth the investment.

Read 6 Best ITIL Security Management Tools in 2019 by Renaud Larue-Langlois on AddictiveTips – Tech tips to make you smarter

7 Best File Integrity Monitoring Software (2019 Review)

IT security is a hot topic. The news is bursting with stories of security breaches, data theft or ransomware. Some will argue that all of these are simply a sign of our times but it doesn’t change the fact that when you’re tasked with maintaining any kind of IT environment, protecting against such threats is an important part of the job. For that reason, File Integrity Monitoring (FIM) software has almost become an indispensable tool for any organization. Its primary purpose is to ensure that any unauthorized or unexpected file change is quickly identified. It can help improve overall data security, which is important for any company and shouldn’t be ignored.

Today, we’ll start off by having a brief look at File Integrity Monitoring. We’ll do our best to explain in simple terms what it is and how it works. We’ll also have a look at who should be using it. It will most likely not come as a big surprise to find out that anyone can benefit from it and we’ll see how and why. And once we’re all on the same page about File Integrity Monitoring, we’ll be ready to jump into the core of this post and briefly review some of the best tools the market has to offer.

What Is File Integrity Monitoring?

At its core, file integrity monitoring is a key element of an IT security management process. The main concept behind it is to ensure that any modification to a file system is accounted for and that any unexpected modification is quickly identified.

While some systems offer file integrity monitoring in real-time, it tends to have a higher impact on performance, For that reason, a snapshot-based system is often preferred. It works by taking a snapshot of a file system at regular intervals and comparing it to the previous one or to a previously established baseline. No matter how the detection functions (real-time or not), any detected change that suggests some sort of unauthorized access or malicious activity (such as a sudden change in file size or access by a specific user or group of users) and alert is raised and/or some form or remediation process is launched. It could range from popping an alert window to restoring the original file from a backup or blocking the access to the endangered file.

Who Is File Integrity Monitoring For?

The quick answer to this question is anyone. Really, any organization can benefit from using File Integrity Monitoring software. However, many will choose to use it because they are in a situation where it is mandated. For instance, File Integrity Monitoring software is either required or strongly indicated by certain regulatory frameworks such as PCI DSS, Sarbanes-Oxley, or HIPAA. Concretely, if you’re in the financial or health care sectors, or if you process payment cards, File Integrity Monitoring is more of a requirement than an option.

Likewise, although it might not be mandatory, any organization dealing with sensitive information should strongly consider File Integrity Monitoring software. Whether you are storing client data or trade secrets, there is an obvious advantage in using these types of tools. It could save you from all sorts of mishaps.

But File Integrity Monitoring is not only for large organizations. Although large enterprises and medium-sized businesses alike tend to be aware of the importance of File Integrity Monitoring software, small businesses should certainly consider it as well. This is particularly true when you take into account that there are File Integrity Monitoring tools that will fit every need and budget. In fact, several tools on our list are free and open-source.

The best File Integrity Monitoring Software

There are countless tools that offer File Integrity Monitoring functionality. Some of them are dedicated tools that basically do nothing else. Some, on the other hand, are broad IT security solution that integrates File Integrity Monitoring along with other security-related functionality. We’ve tried to incorporate both kinds of tools on our list. After all, File Integrity Monitoring is often part of an IT security management effort that does include other functions. Why not go for an integrated tool, then.

1. SolarWinds Security Event Manager (FREE TRIAL)

Many network and system administrators are familiar with SolarWinds. After all, the company has been making some of the best tools for about twenty years. Its flagship product, called the SolarWinds Network Performance Monitor is considered one of the best such tool on the market. And to make things even better, SolarWinds also publishes free tools that address some specific network administrations tasks.

While SolarWinds does not make a dedicated file integrity monitoring tool, its Security Information and Event Management (SIEM) tool, the SolarWinds Security Event Manager, includes a very good file integrity monitoring module. This product is definitely one of the best entry-level SIEM systems on the market. The tool has almost everything one would expect from a SIEM tool. This includes excellent log management and correlation features as well as an impressive reporting engine and, of course, file integrity monitoring.

SolarWinds Security Event Manager Screenshot

FREE TRIAL: SolarWinds Security Event Manager

Official Download Link:

When it comes to file integrity monitoring, the SolarWinds Security Event Manager can show which users are responsible for which file changes. It can also track additional user activities, letting you create various alerts and reports. The tool’s homepage sidebar can display how many change events have occurred under the Change Management header. Whenever something looks suspicious and you want to dig deeper, you have the option of filtering events by keyword.

The tool also boasts excellent event response features which leave nothing to be desired. For instance, the detailed real-time response system will actively react to every threat. And since it’s based on behaviour rather than signature, you’re protected against unknown or future threats and zero-day attacks.

In addition to an impressive feature set, the SolarWinds Security Event Manager’s dashboard is certainly worth discussing. With its simple design, you’ll have no trouble finding your way around the tool and quickly identifying anomalies. Starting at around $4 500, the tool is more than affordable. And if you want to try it and see how it works in your environment, a free fully functional 30-day trial version is available for download.

Official Download Link:


OSSEC, which stands for Open Source Security, one of the best known open-source host-based intrusion detection system. The product is owned by Trend Micro, one of the leading names in IT security and maker of one of the best virus protection suites. And if the product is on this list, rest assured that it also has a very decent file integrity monitoring functionality.

When installed on Linux or Mac OS operating systems, the software primarily focuses on log and configuration files. It creates checksums of important files and periodically validates them, alerting you whenever something odd happens. It will also monitor and alert on any abnormal attempt at getting root access. On Windows hosts, the system also keeps an eye for unauthorized registry modifications which could be a tell-tale sign of malicious activity.

OSSEC Dashboard Screenshot

When it comes to file integrity monitoring, OSSEC has a specific functionality called Syscheck. The tool runs every six hours by default and it checks for changes to the checksums of key files. The module is designed to reduce CPU usage, making it a potentially good option for organizations requiring a file integrity management solution with a small footprint.

By virtue of being a host-based intrusion detection system, OSSEC needs to be installed on each computer (or server) you want to protect. This is the main drawback of such systems. However, a centralized console is available which does consolidate information from each protected computer for easier management. That OSSEC console only runs on Linux or Mac OS operating systems. However, an agent is available to protect Windows hosts. Any detection will trigger an alert which will be displayed on the centralized console while notifications will also be sent by email.

3. Samhain File Integrity

Samhain is a free host intrusion detection system which provides file integrity checking and log file monitoring/analysis. In addition, the product also performs rootkit detection, port monitoring, detection of rogue SUID executables, and hidden processes. This tool has been designed to monitor multiple systems with various operating systems with centralized logging and maintenance. However, Samhain can also be used as a stand-alone application on a single computer. The tool can run on POSIX systems like Unix, Linux or Mac OS. It can also run on Windows under Cygwin although only the monitoring agent and not the server has been tested in that configuration.

Samhain IDS Screenshot

On Linux hosts, Samhain can leverage the inotify mechanism to monitor file system events. In real-time This lets you receive immediate notifications about changes, and eliminates the need for frequent file system scans which may cause a high I/O load. In addition, various checksums can be checked such as TIGER192, SHA-256, SHA-1 or MD5. File size, mode/permission, owner, group, timestamp (creation/modification/access), inode, number of hard links and linked path of symbolic links can also be checked. The tool can even check more “exotic” properties such as SELinux attributes, POSIX ACLs (on systems supporting them), Linux ext2 file attributes (as set by chattr such as the immutable flag), and the BSD file flags.

One of Samhain’s unique feature is its stealth mode which allows it to run without being detected by eventual attackers. Too often intruders kill detection processes they recognize, allowing them to go unnoticed. This tool uses steganography techniques to hide its processes from others. It also protects its central log files and configuration backups with a PGP key to prevent tampering. Overall, this is a very complete tool offering much more than just file integrity monitoring.

4. Tripwire File Integrity Manager

Next is a solution from Tripwire, a company that enjoys a solid reputation in IT security. And when it comes to file integrity monitoring, Tripwire File Integrity Manager (FIM) has a unique capability to reduce noise by providing multiple ways of weeding out low-risk changes from high-risk ones while assessing, prioritizing and reconciling detected changes. By automatically promoting numerous business-as-usual changes the tool reduces the noise so you have more time to investigate changes that may truly impact security and introduce risk. Tripwire FIM uses agents to continuously capture complete who, what, and when details in real-time. This helps ensure that you detect all change, capture details about each one, and use those details to determine the security risk or non-compliance.

Tripwire File Integrity Monitoring

Tripwire gives you the ability to integrate File Integrity Manager with many of your security controls: security configuration management (SCM), log management and SIEM tools. Tripwire FIM adds components that tag and manage the data from these controls more intuitively and in ways that better protect data. For example, the Event Integration Framework (EIF) adds valuable change data from File Integrity Manager to Tripwire Log Center or almost any other SIEM. With EIF and other foundational Tripwire security controls, you can easily and effectively manage the security of your IT infrastructure.

Tripwire File Integrity Manager uses automation to detect all changes and to remediate those that take a configuration out of policy. It can integrate with existing change ticketing systems like BMC Remedy, HP Service Center or Service Now, allowing for quick audit. This also ensures traceability. Furthermore, automated alerts trigger user-customized responses when one or more specific changes reach a severity threshold that one change alone wouldn’t cause. For instance, a minor content change accompanied by a permission change that was done outside of a planned change window.

5. AFICK (Another File Integrity Checker)

Next is an open-source tool from developer Eric Gerbier called AFICK (Another File Integrity Checker). Although the tool claims to offer similar functionality to Tripwire, it is a much cruder product, much in the line of traditional open-source software. The tool can monitor any changes in the files systems it watches. It supports multiple platforms such as Linux (SUSE, Redhat, Debian and more), Windows, HP Tru64 Unix, HP-UX, and AIX. The software is designed to be quick and portable and it can work any on any computer supporting Perl and its standard modules.

AFICK Webmin Home Page

As for the AFICK’s functionality, here’s an overview of its main features. The tool is easy to install and doesn’t require any compilation or the installation of many dependencies. It is also a fast tool, due in part to its small size. Despite its small size, it will display new, deleted, and modified files as well as any dangling links. It uses a simple text-based configuration file which supports exceptions and jokers and uses a syntax that is very similar to Tripwire’s or Aide’s. Both a Tk-based graphical user interface and a webmin-based web interface are available if you’d rather stay away from a command-line tool.

AFICK (Another File Integrity Checker) is entirely written in Perl for portability, and source access. And since it is open-source (released under GNU General Public License), you are free to add functionality to it as you see fit. The tool uses MD5 for its checksum needs as it is quick and it is built into all Perl distributions and instead of using a clear text database, dbm is used.

6. AIDE (Advanced Intrusion Detection Environment)

Despite a rather misleading name, AIDE (Advanced Intrusion Detection Environment) is actually a file and directory integrity checker. It works by creating a database from the regular expression rules that it finds from its configuration file. Once the database is initialized it uses it to verify the integrity of files. The tool uses several message digest algorithms which can be used to check the integrity of the files. Furthermore, all of the usual file attributes can be checked for inconsistencies. It can also read databases from older or newer versions.

Feature-wise, AIDE is rater complete. It supports multiple message digest algorithms such as md5, sha1, rmd160, tiger, crc32, sha256, sha512, and whirlpool. The tool can check several file attributes including File type, Permissions, Inode, Uid, Gid, Link name, Size, Block count, Number of links, Mtime, Ctime and Atime. It can also support Posix ACL, SELinux, XAttrs and Extended file system attributes. For the sake of simplicity, the tool uses plain text configuration files as well as a plain text database. One of its most interesting features is its support of powerful regular expression allowing you to selectively include or exclude files and directories to be monitored. This feature alone makes it a very versatile and flexible tool.

The product, which has been around since 1999 is still actively developed and the latest version (0.16.2) is only a few months old. It is available under the GNU general public license and it will run on most modern variants of Linux.

7. Qualys File Integrity Monitoring

Qualys File Integrity Monitoring from security giant Qualys is a “cloud solution for detecting and identifying critical changes, incidents, and risks resulting from normal and malicious events.” It comes with out-of-the-box profiles which are based on the industry’s best practices and on vendor-recommended guidelines for common compliance and audit requirements, including PCI DSS.

Qualys File Integrity Monitoring detects changes efficiently in real-time, using similar approaches used in anti-virus technologies. Change notifications can be created for entire directory structures or at the file level. The tool uses existing OS kernel signals to identify accessed files, instead of relying on compute-intensive approaches. The product can detect the creation or removal of files or directories, the renaming of files or directories, changes to file attributes, changes to file or directory security settings such as permissions, ownership, inheritance, and auditing or changes to file data stored on the disk.

Qualys File Integrity Monitoring

It is a multi-tiered product. The Qualys Cloud Agent continuously monitors the files and directories specified in your monitoring profile and it captures critical data to help identify what changed along with environment details such as which user and which process was involved in the change. It then sends the data to the Qualys Cloud Platform for analysis and reporting. One of the advantages of this approach is that it works the same whether the systems are on-premises, in the cloud, or remote.

File Integrity Monitoring can be easily activated on your existing Qualys Agents, and start monitoring for changes locally with minimal impact to the endpoint. The Qualys Cloud Platform allows you to easily scale to the largest environments. Performance impact on the monitored endpoints is minimized by efficiently monitoring for file changes locally and sending the data to the Qualys Cloud Platform where all the heavy work of analysis and correlation occur. As for the Qualys Cloud Agent, it is self-updating and self-healing, keeping itself up to date with no need to reboot.

Read 7 Best File Integrity Monitoring Software (2019 Review) by Renaud Larue-Langlois on AddictiveTips – Tech tips to make you smarter