Finding live hosts with nmap

nmapping

I'm trying to find live hosts on the network with nmap:

   nmap -sP 192.168.3.0/24

 Starting Nmap 5.21 ( http://nmap.org ) at 2012-04-10 10:28 EEST
 Nmap scan report for km-localhost (192.168.3.1)
 Host is up.
 Nmap scan report for km-localhost (192.168.3.6)
 Host is up (0.00067s latency).
 MAC Address: 00:26:18:B8:4E:B8 (Asustek Computer)
 Nmap scan report for 192.168.3.7
 Host is up (0.00016s latency).
 MAC Address: 00:0E:2E:2B:E7:BD (Edimax Technology Co.)
 Nmap scan report for km-localhost (192.168.3.11)
 Host is up (-0.10s latency).
 MAC Address: 6C:F0:49:74:3A:A2 (Giga-byte Technology Co.)
 Nmap scan report for 192.168.3.15
 Host is up (0.00057s latency).
 MAC Address: 00:1F:C6:CF:76:48 (Asustek Computer)
 Nmap scan report for km-localhost (192.168.3.22)
 Host is up (0.0030s latency).
 MAC Address: 00:12:17:6B:0C:DF (Cisco-Linksys)
 Nmap scan report for 192.168.3.24
 Host is up (-0.10s latency).
 MAC Address: 00:02:B3:65:2D:1B (Intel)
 Nmap scan report for km-localhost (192.168.3.25)
 Host is up (0.00014s latency).
 MAC Address: 00:C0:26:A7:6B:0F (Lans Technology CO.)
 Nmap done: 256 IP addresses (8 hosts up) scanned in 4.08 seconds

So nmap discovers 8 hosts.
Now the problem comes when I'm trying to use IP list instead of cidr.

 nmap -sP 192.168.3.1 192.168.3.6 192.168.3.7 192.168.3.11 192.168.3.15 192.168.3.22           192.168.3.24 192.168.3.25

 Starting Nmap 5.21 ( http://nmap.org ) at 2012-04-10 10:33 EEST
 Nmap scan report for km-localhost (192.168.3.1)
 Host is up.
 Nmap scan report for km-localhost (192.168.3.15)
 Host is up (-0.10s latency).
 MAC Address: 00:1F:C6:CF:76:48 (Asustek Computer)
 Nmap done: 8 IP addresses (2 hosts up) scanned in 0.24 seconds

Here I supply the list of IP addresses that are all alive, as you can see in previous command, but only 2 hosts out of 8 show up as alive.
Can anyone explain this behavior of nmap and maybe tell the work around ?

I want to use nmap in the shell script to quickly determine alive hosts. Previously I used 'fping -a' command, but nmap seems to be better at discovering hosts behind the firewall, so I would like to switch to it without modifying my script too much.
Any help will be appreciated.

Best Answer

You may be running in to some sort of rate limit that is dropping probes. Based on the latencies, I'd almost guess you are scanning a virtual network, and I have had problems in the past with Oracle VirtualBox not being able to keep up with high packet rates. Try slowing your scan down with the -T2 argument. The other thing I'd suggest, if you're not already doing so, is to run your scan as root (assuming you are scanning from Linux). Many useful probes (ICMP ping, half-open SYN, and unsolicited ACK for host discovery) cannot be sent if you are not privileged.

As a postscript, I'll add that you should always use the latest version of Nmap whenever possible. Version 5.51 is the latest stable version, and can be downloaded here

Related Topic