Who's up with nmap, revisited

I am, sad to say, the de facto network administrator for my small company. Today, one of my partners was having a connectivity problem, and while I was solving that problem (some cabling got disconnected), I learned that my little network probing script, whosup, needed to be updated.

Originally, whosup was a one-line shell script that ran nmap with certain parameters,

nmap -sP 192.168.1.*

which told nmap to do a “ping scan” of my local network and report the hosts that respond. The reason I made a script out of such a simple command is that I didn’t use nmap very often and couldn’t remember the options from one use to the next.

Two things have changed since the last time I used whosup:

1. We now have a few Vista machines at work, and they don’t respond to the ping scan unless I run it as the superuser.
2. Nmap has been upgraded, and the current version is more verbose in its output and is in the process of changing its ping scan option.

To account for these changes and to do a little future-proofing, I changed whosup from a shell script to Perl:

1:  #!/usr/bin/perl
2:
3:  @nmap = sudo nmap -sn 192.168.1.0/24 2>&1;
4:  for (@nmap) {
5:    print "\$1\n" if /^Nmap scan.+?(\d+\.\d+\.\d+\.\d+).*/;
6:  }

Line 3 runs nmap as the superuser (prompting me for my administrative password) and puts the output lines into the @nmap list.

• The -sn option is the “no port scan” option used for host discovery. The older -sP option, which -sn replaces, still works in Version 5.21 but is being phased out.
• The 192.168.1.0/24 tells nmap to look at all the IPs whose first three bytes are 192, 168, and 1. Three bytes is 24 bits, which is where the /24 comes from.
• Finally, the 2>&1 is the standard bash redirection operator which merges standard error into standard output. I did this because nmap often writes messages to standard error, and I wanted the rest of the program to filter them out.

Lines 4-6 then filter the nmap output lines. The nmap output from Line 3 looks something like this,

Starting Nmap 5.21 ( http://nmap.org ) at 2010-08-19 22:16 CDT
Nmap scan report for 192.168.1.1
Host is up (0.0053s latency).
Nmap scan report for 192.168.1.10
Host is up (0.0038s latency).
Nmap scan report for 192.168.1.100
Host is up (0.034s latency).
Nmap scan report for 192.168.1.101
Host is up (0.035s latency).
Nmap scan report for 192.168.1.103
Host is up (0.27s latency).
Nmap scan report for 192.168.1.107
Host is up (0.27s latency).
Nmap scan report for 192.168.1.109
Host is up.
Nmap scan report for 192.168.1.110
Host is up (0.16s latency).
MAC Address: 00:11:22:33:44:55 (Sony Computer Entertainment)
Nmap done: 256 IP addresses (8 hosts up) scanned in 10.23 seconds

which has way too much information.1 I just want the IP numbers of the hosts that respond. Line 5 plucks out the IP numbers and prints them, one per line. The final whosup output looks like this:

192.168.1.1
192.168.1.10
192.168.1.100
192.168.1.101
192.168.1.105
192.168.1.109
192.168.1.110

A simple list of the hosts connected to the network. When I ran it at work today, I found a host I didn’t know about. Turns out one of my other partners has an old router in his office acting as hub.

1. The MAC addresses in the output above have been changed to protect the innocent (how many of you are old enough to get that reference?), but the rest of the output is real.