Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

RE: ping scan not accurate?

From: "Rob Nicholls" <robert () robnicholls co uk>
Date: Sat, 3 Aug 2013 08:07:43 +0100
Hi Michael,

Nmap's "ping scan" usually sends a handful of different packets to detect
hosts. But if you're scanning a local subnet Nmap will usually only check
for ARP responses. I suspect you saw false positives as something responded
(possibly with the same MAC address each time?) for every IP.

http://nmap.org/book/man-host-discovery.html

A more accurate approach would need to be taken, such as the ICMP echo scan
you performed and/or port scans. You can use the flag --open so Nmap only
returns results for hosts that have open ports (useful if a firewall is
returning TCP resets for hosts that are really down) and the --reason flag
will tell you what response Nmap saw.

Rob


-----Original Message-----
From: dev [mailto:dev-bounces () nmap org] On Behalf Of Michael Nichols
Sent: 02 August 2013 23:12
To: dev () nmap org
Subject: ping scan not accurate?

I used nmap to troubleshoot an issue where in an office bldg. with a

shared

internet subnet for tenants.
One of my clients was having ip conflicts on the WAN side of their

firewall.


The subnet was 192.168.0.0/24

I used zenmap and ran a ping scan of 192.168.0.1-254 It came back saying

all

254 hosts were up.

So I complained to the network administrator responsible for that subnet
that it appears they need to change the subnet to something that can
support more devices.
They came back saying that they did not believe that all the addresses

were

in use and the utility being used may be producing inaccurate results.

I then did icmp pings using the traditional ping command to random IPs and
found that IPs that the nmap ping scan was reporting as alive were not
responding.
I did another scan at a command line nmap -PE 192.168.0.1-254

Which returned back that 20 hosts were up.

I was mainly wondering why a ping scan (-sn) would be reporting a false
positive.


Thanks.





_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/



_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: