Who's up with nmap, revisited
August 19, 2010 at 11:30 PM by Dr. Drang
I am, sad to say, the de facto network administrator for my small company. Today, one of my partners was having a connectivity problem, and while I was solving that problem (some cabling got disconnected), I learned that my little network probing script, whosup
, needed to be updated.
Originally, whosup
was a one-line shell script that ran nmap
with certain parameters,
nmap -sP 192.168.1.*
which told nmap
to do a “ping scan” of my local network and report the hosts that respond. The reason I made a script out of such a simple command is that I didn’t use nmap
very often and couldn’t remember the options from one use to the next.
Two things have changed since the last time I used whosup
:
- We now have a few Vista machines at work, and they don’t respond to the ping scan unless I run it as the superuser.
Nmap
has been upgraded, and the current version is more verbose in its output and is in the process of changing its ping scan option.
To account for these changes and to do a little future-proofing, I changed whosup
from a shell script to Perl:
1: #!/usr/bin/perl
2:
3: @nmap = `sudo nmap -sn 192.168.1.0/24 2>&1`;
4: for (@nmap) {
5: print "$1\n" if /^Nmap scan.+?(\d+\.\d+\.\d+\.\d+).*/;
6: }
Line 3 runs nmap
as the superuser (prompting me for my administrative password) and puts the output lines into the @nmap
list.
- The
-sn
option is the “no port scan” option used for host discovery. The older-sP
option, which-sn
replaces, still works in Version 5.21 but is being phased out. - The
192.168.1.0/24
tellsnmap
to look at all the IPs whose first three bytes are 192, 168, and 1. Three bytes is 24 bits, which is where the/24
comes from. - Finally, the
2>&1
is the standardbash
redirection operator which merges standard error into standard output. I did this becausenmap
often writes messages to standard error, and I wanted the rest of the program to filter them out.
Lines 4-6 then filter the nmap
output lines. The nmap
output from Line 3 looks something like this,
Starting Nmap 5.21 ( http://nmap.org ) at 2010-08-19 22:16 CDT
Nmap scan report for 192.168.1.1
Host is up (0.0053s latency).
MAC Address: 00:11:22:33:44:55 (Cisco-Linksys)
Nmap scan report for 192.168.1.10
Host is up (0.0038s latency).
MAC Address: 00:11:22:33:44:55 (Brother Industries)
Nmap scan report for 192.168.1.100
Host is up (0.034s latency).
MAC Address: 00:11:22:33:44:55 (Apple Computer)
Nmap scan report for 192.168.1.101
Host is up (0.035s latency).
MAC Address: 00:11:22:33:44:55 (Billionton Systems)
Nmap scan report for 192.168.1.103
Host is up (0.27s latency).
MAC Address: 00:11:22:33:44:55 (Unknown)
Nmap scan report for 192.168.1.107
Host is up (0.27s latency).
MAC Address: 00:11:22:33:44:55 (Apple)
Nmap scan report for 192.168.1.109
Host is up.
Nmap scan report for 192.168.1.110
Host is up (0.16s latency).
MAC Address: 00:11:22:33:44:55 (Sony Computer Entertainment)
Nmap done: 256 IP addresses (8 hosts up) scanned in 10.23 seconds
which has way too much information.1 I just want the IP numbers of the hosts that respond. Line 5 plucks out the IP numbers and prints them, one per line. The final whosup
output looks like this:
192.168.1.1
192.168.1.10
192.168.1.100
192.168.1.101
192.168.1.105
192.168.1.109
192.168.1.110
A simple list of the hosts connected to the network. When I ran it at work today, I found a host I didn’t know about. Turns out one of my other partners has an old router in his office acting as hub.
-
The MAC addresses in the output above have been changed to protect the innocent (how many of you are old enough to get that reference?), but the rest of the output is real. ↩