Here are some guidelines you can use when scanning networks:

  • Use OSINT or other starting knowledge of the target network to determine the base address of your scan.
  • Determine the amount of detail you want to discover, such as IP addresses, ports, services, versions, host names, operating systems, device status, etc., and select a tool that is capable of delivering the desired information.
  • Start with a discovery scan that uses multiple techniques (not just ICMP ECHO REQUEST).
  • Manually add known networks or use a shorter subnet mask to include multiple subnets in a single scan.
  • Set a scan speed that balances performance with stability.
  • Use slower scan speeds to be "polite" and not create too much "noise" on the network.
  • Use the slowest scan speeds to evade detection by an IDS.
  • Add or include a port scan to identify listening ports on discovered hosts.
  • If desired, use tools that can interrogate ports, grab banners, and use specially crafted packets to identify operating system and service versions.
  • If desired, use tools that can interrogate device ARP caches, router route tables, switch MAC tables, and other sources for additional network information.
  • If desired, use WMI and/or SNMP to interrogate devices for service- or component-specific information.
  • If a standardized diagram is desired, export the scan output and import it into a professional drawing application such as Microsoft Visio.
  • Use Google to quickly find examples and tool guidance; recognize that some online guidance will be outdated.