This is the simplest way of performing host discovery with nmap.
nmap -sP 192.168.2.1/24
Why does it not work all the time ?
When this command runs nmap tries to ping the given IP address range to check if the hosts are alive. If ping fails it tries to send syn packets to port 80 (SYN scan). This is not hundred percent reliable because modern host based firewalls block ping and port 80. Windows firewall blocks ping by default. The hosts you have on the network are blocking ping and the port 80 is not accepting connections. Hence nmap assumes that the host is not up.
So is there a workaround to this problem?
Yes. One of the options that you have is using the -P0 flag which skips the host discovery process and tries to perform a port scan on all the IP addresses (In this case even vacant IP addresses will be scanned). Obviously this will take a large amount of time to complete the scan even if you are in a small (20-50 hosts) network. but it will give you the results.
The better option would be to specify custom ports for scanning. Nmap allows you to probe specific ports with SYN/UDP packets. It is generally recommended to probe commonly used ports e.g. TCP-22 (ssh) or TCP-3389 (windows remote desktop) or UDP-161 (SNMP).
sudo nmap -sP -PS22,3389 192.168.2.1/24 #custom TCP SYN scan sudo nmap -sP -PU161 192.168.2.1/24 #custom UDP scan
N.B. even after specifying custom ports for scanning you may not get an active host. A lot depends on how the host is configured and which services it is using. So you just have keep probing with different combinations.Remember, do not performs scans on a network without proper authorization.
update: When scanning a network you can never be sure that a particular command will give you all the desired results. The approach should be to start with basic ping sweep and if it doesn’t work try guessing the applications that may be running on the hosts and probe the corresponding ports. The idea of using Wireshark is also interesting. You may want to try sending ACK packets.
nmap -sP -PA21,22,25,3389 192.168.2.1/24 #21 is used by ftp
update two: The flags -sP and -P0 are now known as -sn and -Pn respectively. However the older flags are still found to be working in the newer versions.
The easiest way to check this is to verify the ARP-tables after doing the ping sweep using nmap:
arp -a -n
This lists all hosts which responded to an ARP query, even the ones which filter ICMP.
Wireshark is cool too.
You might want to check out Wireshark. It logs all of the traffic on the local network. It will tell you which nodes are broadcasting. You can also see what is being transmitted. It’s available in the Ubuntu Software Center.
Additionally here’s a link about installing Wireshark on Ubuntu via command line.
In regard to the traffic that shows in your DHCP routing tables remember that a lot of Virtual Machines will show up as separate machines in the list. Anything that’s connected to your network usually within the default 24 hour lease time (for most WiFi Routers) will still show in the list. You might want to check for the duration of the leases in the router. It might tell you if someone’s on your network overnight. On some devices that have dual NICs or a NIC and a Wireless Card they’ll show up twice if both interfaces are enabled.
Other things that a lot of people forget about being on the network:
- Managed Switches
- Some printers
- Server remote management cards
- Cell Phones
- Tivo and other DVRs
- Apple TVs
- Some Televisions
- DVD players
- Network A/V Receivers
- Playstations, XBox, Etc.
- Portable Gaming devices
- Ipads and other tablets
- Ipods and music players
- IP Phones like Magic Jack Plus
About 6 years ago at the office I was working in our little 3mb connection was down to 128k because of all of the excess traffic. The owners wanted to know if it was possible to see what was going on. The old part time IT guy shrugged his shoulders because not all of the traffic was going through their Windows 2000 server. He checked the routing tables and traffic logs in the server and saw nothing. They weren’t using a router strangely enough, so anything on the network could get an address from the modem. The routing tables he looked at in the server were only for static mappings that existed a couple of years prior. I noticed they weren’t on the same subnet. Then I showed them DHCP wasn’t on in the server.
I found all of the traffic coming in after hours on an overnight sweep with Wireshark. One of my coworkers was unknowingly hosting a Japanese sex site on his machine. The attackers had rooted his machine after he installed a backdoor which came along with a cracked version of a high-end video editing software. We also found out they were running
bitTorrent on various machines in different departments at different times. Wireshark found everything. Next day internet was up to full speed… we also installed a router.
If you’re not up for Wireshark you might also want to try