1

I'm trying to find live hosts on the network with nmap:

   nmap -sP 192.168.3.0/24

 Starting Nmap 5.21 ( http://nmap.org ) at 2012-04-10 10:28 EEST
 Nmap scan report for km-localhost (192.168.3.1)
 Host is up.
 Nmap scan report for km-localhost (192.168.3.6)
 Host is up (0.00067s latency).
 MAC Address: 00:26:18:B8:4E:B8 (Asustek Computer)
 Nmap scan report for 192.168.3.7
 Host is up (0.00016s latency).
 MAC Address: 00:0E:2E:2B:E7:BD (Edimax Technology Co.)
 Nmap scan report for km-localhost (192.168.3.11)
 Host is up (-0.10s latency).
 MAC Address: 6C:F0:49:74:3A:A2 (Giga-byte Technology Co.)
 Nmap scan report for 192.168.3.15
 Host is up (0.00057s latency).
 MAC Address: 00:1F:C6:CF:76:48 (Asustek Computer)
 Nmap scan report for km-localhost (192.168.3.22)
 Host is up (0.0030s latency).
 MAC Address: 00:12:17:6B:0C:DF (Cisco-Linksys)
 Nmap scan report for 192.168.3.24
 Host is up (-0.10s latency).
 MAC Address: 00:02:B3:65:2D:1B (Intel)
 Nmap scan report for km-localhost (192.168.3.25)
 Host is up (0.00014s latency).
 MAC Address: 00:C0:26:A7:6B:0F (Lans Technology CO.)
 Nmap done: 256 IP addresses (8 hosts up) scanned in 4.08 seconds

So nmap discovers 8 hosts. Now the problem comes when I'm trying to use IP list instead of cidr.

 nmap -sP 192.168.3.1 192.168.3.6 192.168.3.7 192.168.3.11 192.168.3.15 192.168.3.22           192.168.3.24 192.168.3.25

 Starting Nmap 5.21 ( http://nmap.org ) at 2012-04-10 10:33 EEST
 Nmap scan report for km-localhost (192.168.3.1)
 Host is up.
 Nmap scan report for km-localhost (192.168.3.15)
 Host is up (-0.10s latency).
 MAC Address: 00:1F:C6:CF:76:48 (Asustek Computer)
 Nmap done: 8 IP addresses (2 hosts up) scanned in 0.24 seconds

Here I supply the list of IP addresses that are all alive, as you can see in previous command, but only 2 hosts out of 8 show up as alive. Can anyone explain this behavior of nmap and maybe tell the work around ?

I want to use nmap in the shell script to quickly determine alive hosts. Previously I used 'fping -a' command, but nmap seems to be better at discovering hosts behind the firewall, so I would like to switch to it without modifying my script too much. Any help will be appreciated.

Alec T
  • 463
  • 1
  • 9
  • 21

1 Answers1

1

You may be running in to some sort of rate limit that is dropping probes. Based on the latencies, I'd almost guess you are scanning a virtual network, and I have had problems in the past with Oracle VirtualBox not being able to keep up with high packet rates. Try slowing your scan down with the -T2 argument. The other thing I'd suggest, if you're not already doing so, is to run your scan as root (assuming you are scanning from Linux). Many useful probes (ICMP ping, half-open SYN, and unsolicited ACK for host discovery) cannot be sent if you are not privileged.

As a postscript, I'll add that you should always use the latest version of Nmap whenever possible. Version 5.51 is the latest stable version, and can be downloaded here

bonsaiviking
  • 4,420
  • 17
  • 26
  • Though I've noticed that scan time has dramatically increased. After your explanation and reading man page I understand why. Do you know if there is a work around for that. (FYI I run nmap from a freebsd server as a root) – Alec T Apr 10 '12 at 12:38
  • `-T2` covers a lot of settings. You could instead play with `--max-rate`, adjusting it until you get reliable results. Start at `--max-rate 2.5` (the setting for `-T2`) and increase it until you get the result you want – bonsaiviking Apr 10 '12 at 14:26