Network mapping via UDP to broadcast address

["Ronald F. Guilmette" <rfg () monkeys com>]

Please excuse me if my ignorance is showing, or if this is
a newbie FAQ, but I'd like to know if it's possible to obtain
a map of what's on a particular network by sending UDP packets
to broadcast addresses and then just waiting and seeing who/what
answers.

Is this feasible?  If so, how exactly would it be done?

What I mean to say is, what would you set the destination port
in the initial outgoing packet to?  Would 255.255.255.255 work,
or would that be likely to cause an imponderable deluge of
responses to come back?

Also, what sorts of services would be resonable ones to expect
there to be UDP responders on, and what sorts of packets should
be sent, exactly to get those to respond?

I gather that SNMP is a candidate, and maybe also NetBIOS.  Any
others?  What sorts of packets would one send in each of these
cases in order to get a maximal number of responses from active
machines on the target network?

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).