Home » How to find live hosts on my network?

How to find live hosts on my network?


This is the simplest way of performing host discovery with nmap.

nmap -sP

Why does it not work all the time ?

When this command runs nmap tries to ping the given IP address range to check if the hosts are alive. If ping fails it tries to send syn packets to port 80 (SYN scan). This is not hundred percent reliable because modern host based firewalls block ping and port 80. Windows firewall blocks ping by default. The hosts you have on the network are blocking ping and the port 80 is not accepting connections. Hence nmap assumes that the host is not up.

So is there a workaround to this problem?

Yes. One of the options that you have is using the -P0 flag which skips the host discovery process and tries to perform a port scan on all the IP addresses (In this case even vacant IP addresses will be scanned). Obviously this will take a large amount of time to complete the scan even if you are in a small (20-50 hosts) network. but it will give you the results.

The better option would be to specify custom ports for scanning. Nmap allows you to probe specific ports with SYN/UDP packets. It is generally recommended to probe commonly used ports e.g. TCP-22 (ssh) or TCP-3389 (windows remote desktop) or UDP-161 (SNMP).

sudo nmap -sP -PS22,3389 #custom TCP SYN scan
sudo nmap -sP -PU161 #custom UDP scan

N.B. even after specifying custom ports for scanning you may not get an active host. A lot depends on how the host is configured and which services it is using. So you just have keep probing with different combinations.Remember, do not performs scans on a network without proper authorization.

update: When scanning a network you can never be sure that a particular command will give you all the desired results. The approach should be to start with basic ping sweep and if it doesn’t work try guessing the applications that may be running on the hosts and probe the corresponding ports. The idea of using Wireshark is also interesting. You may want to try sending ACK packets.

nmap -sP -PA21,22,25,3389 #21 is used by ftp

update two: The flags -sP and -P0 are now known as -sn and -Pn respectively. However the older flags are still found to be working in the newer versions.

The easiest way to check this is to verify the ARP-tables after doing the ping sweep using nmap:

arp -a -n

This lists all hosts which responded to an ARP query, even the ones which filter ICMP.

Wireshark is cool too.

You might want to check out Wireshark. It logs all of the traffic on the local network. It will tell you which nodes are broadcasting. You can also see what is being transmitted. It’s available in the Ubuntu Software Center.

Additionally here’s a link about installing Wireshark on Ubuntu via command line.

In regard to the traffic that shows in your DHCP routing tables remember that a lot of Virtual Machines will show up as separate machines in the list. Anything that’s connected to your network usually within the default 24 hour lease time (for most WiFi Routers) will still show in the list. You might want to check for the duration of the leases in the router. It might tell you if someone’s on your network overnight. On some devices that have dual NICs or a NIC and a Wireless Card they’ll show up twice if both interfaces are enabled.

Other things that a lot of people forget about being on the network:

  • Managed Switches
  • Some printers
  • Server remote management cards
  • Cell Phones
  • Tivo and other DVRs
  • Apple TVs
  • Some Televisions
  • DVD players
  • Network A/V Receivers
  • Playstations, XBox, Etc.
  • Portable Gaming devices
  • Ipads and other tablets
  • Ipods and music players
  • PDAs
  • IP Phones like Magic Jack Plus

About 6 years ago at the office I was working in our little 3mb connection was down to 128k because of all of the excess traffic. The owners wanted to know if it was possible to see what was going on. The old part time IT guy shrugged his shoulders because not all of the traffic was going through their Windows 2000 server. He checked the routing tables and traffic logs in the server and saw nothing. They weren’t using a router strangely enough, so anything on the network could get an address from the modem. The routing tables he looked at in the server were only for static mappings that existed a couple of years prior. I noticed they weren’t on the same subnet. Then I showed them DHCP wasn’t on in the server.

I found all of the traffic coming in after hours on an overnight sweep with Wireshark. One of my coworkers was unknowingly hosting a Japanese sex site on his machine. The attackers had rooted his machine after he installed a backdoor which came along with a cracked version of a high-end video editing software. We also found out they were running Tor, demonoid, and bitTorrent on various machines in different departments at different times. Wireshark found everything. Next day internet was up to full speed… we also installed a router.

If you’re not up for Wireshark you might also want to try tcpdump.

Related Solutions

How to delete a non-empty directory in Terminal?

Use the below command : rm -rf lampp It deletes all files and folders contained in the lampp directory. In case user doesn't have the permission to delete the folder: Add sudo at the beginning of the command : sudo rm -rf folderName Otherwise, without sudo you...

mysql: Show GRANTs for all users

Nothing built-in. You have two options though: Use common_schema's sql_show_grants view. For example, you can query: SELECT sql_grants FROM common_schema.sql_show_grants; Or you can query for particular users, for example: SELECT sql_grants FROM...

Configurable values to MDB annotations

You can externalise the annotations into the ejb-jar.xml that you deploy in the META-INF of your jar file as follows: <?xml version="1.0" encoding="UTF-8"?> <ejb-jar version="3.0"> <enterprise-beans> <message-driven>...

How do I select which Apache MPM to use?

There are a number of MPM modules (Multi-Processing Modules), but by far the most widely used (at least on *nix platforms) are the three main ones: prefork, worker, and event. Essentially, they represent the evolution of the Apache web server, and the different...

Using var self = this or .bind(this)? [closed]

Things that would favor var self = this; bind isn't supported in IE8 and Safari5. If you aim to build a library or code that supports legacy browsers, then var self = this would be more cross-browser friendly. Sometimes, callbacks are bound to a certain context...

What is the difference between SSL vs SSH? Which is more secure?

SSL and SSH both provide the cryptographic elements to build a tunnel for confidential data transport with checked integrity. For that part, they use similar techniques, and may suffer from the same kind of attacks, so they should provide similar security (i.e....

How can I stop applications and services from running?

First Things First You may have some misconceptions about how Android works and what's really happening when a service is running or an app is in the background. See also: Do I really need to install a task manager? Most apps (e.g., ones you launch manually)...

How do I reset a lost administrative password?

By default the first user's account is an administrative account, so if the UI is prompting you for a password it's probably that person's user password. If the user doesn't remember their password you need to reset it. To do this you need to boot into recovery...

How can I use environment variables in Nginx.conf

From the official Nginx docker file: Using environment variables in nginx configuration: Out-of-the-box, Nginx doesn't support using environment variables inside most configuration blocks. But envsubst may be used as a workaround if you need to generate your...

Difference between .bashrc and .bash_profile

Traditionally, when you log into a Unix system, the system would start one program for you. That program is a shell, i.e., a program designed to start other programs. It's a command line shell: you start another program by typing its name. The default shell, a...

Custom query with Castle ActiveRecord

In this case what you want is HqlBasedQuery. Your query will be a projection, so what you'll get back will be an ArrayList of tuples containing the results (the content of each element of the ArrayList will depend on the query, but for more than one value will...

What is the “You have new mail” message in Linux/UNIX?

Where is this mail? It's likely to be in the spool file: /var/mail/$USER or /var/spool/mail/$USER are the most common locations on Linux and BSD. (Other locations are possible – check if $MAIL is set – but by default, the system only informs you about...

How can I find the implementations of Linux kernel system calls?

System calls aren't handled like regular function calls. It takes special code to make the transition from user space to kernel space, basically a bit of inline assembly code injected into your program at the call site. The kernel side code that "catches" the...

Is a composite index also good for queries on the first field?

It certainly is. We discussed that in great detail under this related question: Working of indexes in PostgreSQL Space is allocated in multiples of MAXALIGN, which is typically 8 bytes on a 64-bit OS or (much less common) 4 bytes on a 32-bit OS. If you are not...