Provided by: irpas_0.10-6_amd64 bug


       ass - autonomous system scanner


       ass [-v[v[v]]]  -i <interface> [-p] [-c] [-A] [-M] [-P IER12] -a <autonomous system start>
       -b <autonomous system stop> [-S <spoofed source IP>] [-D <destination  ip>]  [-T  <packets
       per delay>]


       This  manual page documents briefly the ass command.  This manual page was written for the
       Debian distribution because the original program does not have a manual page.

       ASS, the autonomous system scanner, is designed to find the AS of the router.  It supports
       the following protocols: IRDP, IGRP, EIGRP, RIPv1, RIPv2, CDP, HSRP and OSPF.

       In  passive  mode  (./ass  -i  eth0),  it  just  listens to routing protocol packets (like
       broadcast and multicast hellos).

       In active mode (./ass -i eth0 -A), it tries to discover routers by asking for information.
       This  is  done to the appropriate address for each protocol (either broadcast or multicast
       addresses). If you specify a destination address, this will be used  but  may  be  not  as
       effective as the defaults.

       EIGRP scanning is done differently: While scanning, ASS listens for HELLO packets and then
       scans the AS directly on the router who advertised himself. You can force  EIGRP  scanning
       into  the  same  AS-Scan  behavior  as IGRP uses by giving a destination or into multicast
       scanning by the option -M.

       For Active mode, you can select the protocols you want to scan for. If  you  don't  select
       them,  all are scanned. You select protcols by giving the option -P and any combination of
       the following chars: IER12, where:

       I = IGRP

       E = EIGRP

       R = IRDP

       1 = RIPv1

       2 = RIPv2

       ASS output might look a little strange, but has it's meanings:

       Routers are identified by the sender's IP address of the packet. This may lead to  several
       routers  showing  up  as more then one since they used different sender interfaces. In the
       brackets, the protocols this router runs are shown.

       Routing protocols are shown as one or more indented lines. First,  there  is  the  routing
       protocol  name (like EIGRP), followed by the autonomous system number in brackets. Aligned
       to the right is the target network if applicable.

       IGRP routing info shows the target network and in brackets the  following  values:  Delay,
       Bandwidth, MTU, Reliability, Load and Hopcount.

       The IRDP info is limmited to the announced gateway (router) and it's preference

       RIPv1  info  just  gives  you  the  classified  target  network  (remember  RIPv1  network
       boundaries) and it's metric

       RIPv2 info contains after the target network  the  following  infos:  Netmask,  next  hop,
       arbitrary  tag,  and the metric. An additional line may appear on the routers section that
       gives you the authentication if enabled in the protocol. For text auth,  the  password  is

       The  basic EIGRP just gives you the autonomous system number, the IOS and EIGRP version as
       found in the HELLO packet

       The EIGRP routes section depends on the type of route. All  of  them  include  the  fields
       destination  network,  destination  mask and in the last line (in brackets) the values for
       Delay, Bandwidth, MTU, Reliability, Load and Hopcount. External routes  also  include  the
       originating  router, the originating autonomous system, the external metric and the source
       of this route.

       HSRP info is not routing, therefore the third field is  the  virtual  IP  address  of  the
       standby group, followed by the state, the auth string, Hello, Hold and priority values.

       OSPF  info  includes  the  destination  network  as  well  as  the  Area in IP format, the
       authentication used (and, if applicable the auth string), netmask, designated  and  backup
       router and the values for Dead, Priority and Hello.


       A summary of options is included below.

       -h     Show summary of options.

       -i <interface>

       -v     verbose mode

       -A     Active mode scanning

       -P <protocols>
              Select protocols to scan

       -M     EIGRP  systems are scanned using the multicast address and not by HELLO enumeration
              and direct query

       -a <autonomous system>
              autonomous system to start from

       -b <autonomous system>
              autonomous system to stop with

       -S <spoofed source IP>
              maybe you need this

       -D <destination IP>
              If you don't specify this, the appropriate address per protocol is used

       -p     don't run in promiscuous mode (bad idea)

       -c     terminate after scanning. This is not recommened since answers may arrive later and
              you could see some traffic that did not show up during your scans

       -T <packets per delay>
              how  many packets should we wait some milliseconds (-T 1 is the slowest scan -T 100
              begins to become unreliable)


       This manual page was written by Vince Mulhollon <>, for the Debian GNU/Linux
       system (but may be used by others).

                                        December 16, 2002                                  ASS(1)