Man Linux: Main Page and Category List


       ass - autonomous system scanner


       ass  [-v[v[v]]]   -i  <interface>  [-p]  [-c]  [-A]  [-M] [-P IER12] -a
       <autonomous system start> -b  <autonomous  system  stop>  [-S  <spoofed
       source IP>] [-D <destination ip>] [-T <packets per delay>]


       This  manual  page documents briefly the ass command.  This manual page
       was written for the Debian distribution because  the  original  program
       does not have a manual page.

       ASS,  the  autonomous system scanner, is designed to find the AS of the
       router.  It supports the following protocols: IRDP, IGRP, EIGRP, RIPv1,
       RIPv2, CDP, HSRP and OSPF.

       In  passive  mode  (./ass -i eth0), it just listens to routing protocol
       packets (like broadcast and multicast hellos).

       In active mode (./ass -i eth0 -A), it  tries  to  discover  routers  by
       asking  for  information.  This  is done to the appropriate address for
       each protocol (either broadcast or multicast addresses). If you specify
       a destination address, this will be used but may be not as effective as
       the defaults.

       EIGRP scanning is done differently: While  scanning,  ASS  listens  for
       HELLO  packets  and  then  scans  the  AS  directly  on  the router who
       advertised himself. You can force EIGRP scanning into the same  AS-Scan
       behavior  as  IGRP  uses  by  giving  a  destination  or into multicast
       scanning by the option -M.

       For Active mode, you can select the protocols you want to scan for.  If
       you  don’t  select them, all are scanned. You select protcols by giving
       the option -P and any combination of the following chars: IER12, where:

       I = IGRP

       E = EIGRP

       R = IRDP

       1 = RIPv1

       2 = RIPv2

       ASS output might look a little strange, but has it’s meanings:

       Routers  are  identified by the sender’s IP address of the packet. This
       may lead to several routers showing up as more then one since they used
       different sender interfaces. In the brackets, the protocols this router
       runs are shown.

       Routing protocols are shown as one or more indented lines. First, there
       is  the  routing protocol name (like EIGRP), followed by the autonomous
       system number in brackets. Aligned to the right is the  target  network
       if applicable.

       IGRP  routing  info  shows  the  target  network  and  in  brackets the
       following  values:  Delay,  Bandwidth,  MTU,  Reliability,   Load   and

       The  IRDP  info  is limmited to the announced gateway (router) and it’s

       RIPv1 info just gives you the classified target network (remember RIPv1
       network boundaries) and it’s metric

       RIPv2  info  contains  after  the  target  network the following infos:
       Netmask, next hop, arbitary tag, and the metric. An additional line may
       appear  on  the  routers  section  that gives you the authentication if
       enabled in the protocol. For text auth, the password is there.

       The basic EIGRP just gives you the autonomous system  number,  the  IOS
       and EIGRP version as found in the HELLO packet

       The  EIGRP  routes  section  depends  on the type of route. All of them
       include the fields destination network, destination  mask  and  in  the
       last   line  (in  brackets)  the  values  for  Delay,  Bandwidth,  MTU,
       Reliability, Load  and  Hopcount.  External  routes  also  include  the
       originating  router,  the  originating  autonomous system, the external
       metric and the source of this route.

       HSRP info is not routing, therefore the third field is the  virtual  IP
       address  of  the standby group, followed by the state, the auth string,
       Hello, Hold and priority values.

       OSPF info includes the destination network as well as the  Area  in  IP
       format,  the  authentication used (and, if applicable the auth string),
       netmask, designated and backup router and the values for Dead, Priority
       and Hello.


       A summary of options is included below.

       -h     Show summary of options.

       -i <interface>

       -v     verbose mode

       -A     Active mode scanning

       -P <protocols>
              Select protocols to scan

       -M     EIGRP systems are scanned using the multicast address and not by
              HELLO enumeration and direct query

       -a <autonomous system>
              autonomous system to start from

       -b <autonomous system>
              autonomous system to stop with

       -S <spoofed source IP>
              maybe you need this

       -D <destination IP>
              If you don’t specify this, the appropriate address per  protocol
              is used

       -p     don’t run in promiscuous mode (bad idea)

       -c     terminate  after  scanning. This is not recommened since answers
              may arrive later and you could see some  traffic  that  did  not
              show up during your scans

       -T <packets per delay>
              how  many  packets  should we wait some miliseconds (-T 1 is the
              slowest scan -T 100 begins to become unreliable)


       This manual page was written by Vince Mulhollon  <>,  for
       the Debian GNU/Linux system (but may be used by others).

                               December 16, 2002