Active scanning for system inventory information and vulnerability data is a powerful tool that can return great benefits. Active scanning on your network also can return great headaches, however. It can have a high political cost and far-reaching effects on system uptime and reliability. If not done carefully, it can be an ineffective, inefficient way to gather information.

Passive scanning, by its nature, is politically less sensitive and technically a dramatically lighter touch on the network. It provides accurate, up-to-date information as soon as a system appears and starts "talking."

Just by watching a network's traffic flow, passive scanners can deduce a large amount of information about the communicating systems. Just as you can determine the type of cheese by tasting it (an "active" scan), you can also use passive techniques, such as reading the label or taking the aroma as it passes by.

Because passive scanners are limited to looking at existing traffic, they suffer in terms of overall completeness and accuracy. For example, a passive scanner can't detect an application that no one ever uses, and it can be fooled easily by a system intentionally spewing out misinformation and disinformation.