Network mapping is the process of discovering devices on a network in an effort to visualize the network and create a logical topology map. It uses active probing to gather information such as MAC and IP addresses, ports and services, operating systems, device types, virtual machines, host names, and even protocols running on the network. Mapping identifies subnets and how devices are interconnected. Scanning with a tool such as Nmap is the first and most basic step to creating a network map. Other methods include interrogating ARP caches, routing and MAC tables, and Cisco Discovery Protocol (CDP) neighbor tables. Many mapping tools have additional functionality. They use Windows Management Instrumentation (WMI) or SNMP to enumerate information from hosts, including hardware and service status, interface statistics, installed applications, patch levels, user names and groups, and critical events.
Having a topology map of the network is valuable to the pen tester because it informs your choice of tools and strategies. For example, you cannot conduct an ARP scan or spoof MAC addresses on a remote network without direct access to that network. You may have to make routing choices based on link speed and protocols used on the various segments. If you are firewalking or crafting packets that manipulate the IP packet Time-to-Live (TTL), you would want to change that value to reflect the anticipated number of hops (routers) between you and the target.
Most network mappers only scan the immediate subnet by default. You may have to manually add additional subnets. Many tools allow you to specify a "seed device" such as a router or multilayer switch which can provide knowledge of the various subnets. You typically have to provide a user name and password for the scanner to log into the device to make such queries.
There are many free and commercial network mapping tools. Most of the paid versions provide free trials. Some mappers interface with drawing applications such as Microsoft Visio to create professional-looking diagrams. Popular network mappers include SolarWinds, Intermapper, WhatsUp Gold, PRTG, Spiceworks, and Nmap.