1

This is bugging me.

I consistently have a single device that fails to respond to an nmap scan when more than ~160 IP addresses are specified. I seem to get mixed results between 150-160 IP addresses and anything less it always responds.

The device is an HP Printer which should be no big deal.

The intent is a simple scan to just see what is alive on that segment. The script would be ran on our various networks and from a server on that segment. We were using a combination of fping and arp and now trying to replace that with nmap.

# ping -c1 10.10.0.155
PING 10.10.0.155 (10.10.0.155) 56(84) bytes of data.
64 bytes from 10.10.0.155: icmp_seq=1 ttl=60 time=6.75 ms

--- 10.10.0.155 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 6ms
rtt min/avg/max/mdev = 6.755/6.755/6.755/0.000 ms

Example of just scanning the device:

# nmap -R -sn -d 10.10.0.155

--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 1000
  min-rate: 0, max-rate: 0
---------------------------------------------
Initiating ARP Ping Scan at 15:35
Scanning 10.10.0.155 [1 port]
Packet capture filter (device eth0): arp and arp[18:4] = 0x0050569A and arp[22:2] = 0x002B
Completed ARP Ping Scan at 15:35, 0.01s elapsed (1 total hosts)
Overall sending rates: 71.98 packets / s, 3023.32 bytes / s.
mass_rdns: Using DNS server 10.10.0.10
mass_rdns: Using DNS server 10.10.0.11
Initiating Parallel DNS resolution of 1 host. at 15:35
mass_rdns: 0.00s 0/1 [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 15:35, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 2, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Nmap scan report for vd05.mydomain.com (10.10.0.155)
Host is up, received arp-response (0.0014s latency).
MAC Address: 00:10:83:56:E4:94 (Hewlett-packard Company)
Final times for host: srtt: 1391 rttvar: 5000  to: 100000
Read from /usr/share/nmap: nmap-mac-prefixes nmap-payloads.
Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds

Then running with a larger range I simply get a host down:

# nmap -R -sn -d 10.10.0.0/24

-or-

# nmap -R -sn -d 10.10.0.90-254

...
Nmap scan report for vd05.mydomain.com (10.10.0.155) [host down, received no-response]
...

Feel this might be more of a timeout issue but the nmap defaults look like they are more than adequate?

Any suggestions?

Scottz
  • 11
  • 1
  • Are you using a gigabit switch by any chance? ARP requests (like Nmap uses) are sent broadcast, and if the printer is only capable of 100Mbps, the switch could be dropping some traffic to that port. This is just a guess; does the problem go away if you add `--scan-delay 0.1s`? – bonsaiviking Apr 09 '15 at 21:44

0 Answers0