Script broadcast-listener

Script types: prerule
Categories: broadcast, safe

Script Summary

Sniffs the network for incoming broadcast communication and attempts to decode the received packets. It supports protocols like CDP, HSRP, Spotify, DropBox, DHCP, ARP and a few more. See packetdecoders.lua for more information.

The script attempts to sniff all ethernet based interfaces with an IPv4 address unless a specific interface was given using the -e argument to Nmap.

Script Arguments


specifies the amount of seconds to sniff the network interface. (default 30s)

The script attempts to discover all available ipv4 network interfaces, unless the Nmap -e argument has been supplied, and then starts sniffing packets on all of the discovered interfaces. It sets a BPF filter to exclude all packets that have the interface address as source or destination in order to capture broadcast traffic.

Incoming packets can either be either layer 3 (usually UDP) or layer 2. Depending on the layer the packet is matched against a packet decoder loaded from the external nselib/data/packetdecoder.lua file. A more detailed description on how the decoders work can be found in that file. In short, there are two different types of decoders: udp and ether. The udp decoders get triggered by the destination port number, while the ether decoders are triggered by a pattern match. The port or pattern is used as an index in a table containing functions to process packets and fetch the decoded results.

Example Usage

nmap --script broadcast-listener
nmap --script broadcast-listener -e eth0

Script Output

| broadcast-listener:
|   udp
|       Netbios
|         ip           query
| \x01\x02__MSBROWSE__\x02\x01
|       DHCP
|         srv ip       cli ip       mask             gw           dns
|       DropBox
|         displayname  ip            port   version  host_int  namespaces
|         39000860 17500  1.8      39000860  28814673, 29981099
|       HSRP
|         ip             version  op     state   prio  group  secret  virtual ip
|  0        Hello  Active  110   1      cisco
|   ether
|       CDP
|         ip  id      platform       version
|         ?   Router  cisco 7206VXR  12.3(23)
|       ARP Request
|         sender ip     sender mac         target ip
| 00:04:30:26:DA:C8
|_   90:24:1D:C8:B9:AE



  • Patrik Karlsson

License: Same as Nmap--See