Unix: Why you should love nmap

Discovering hosts and services isn't just something that hackers do. A good sysadmin needs to work with an up-to-date view of the systems they manage or those they want to keep an eye on.


Generally, only a handful -- something between 4 and 20 -- are going to be in use, actually listening for network connections. Almost no one asks nmap to check all possible ports. That would be far too time consuming and too light on results.

I find nmap particularly helpful for building or verifying my system inventory. I generally scan by subnet. If I want to update my view of what systems are active on a particular subnet, I might run a quick scan just to tell me what systems are there. Here's a command that reports the systems active on the subnet.

$ nmap -sP

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2014-06-03 19:50 EDT
Host boson ( appears to be up.
Host fermion ( appears to be up.
Host appears to be up.
Host appears to be up.
Host appears to be up.
Host appears to be up.
Host appears to be up.
Nmap finished: 256 IP addresses (7 hosts up) scanned in 7.158 seconds

In this example using the -sn (ping) scan, nmap has found seven active systems on this particular subnet. The -sP option appears to be synonymous with -sn. Here's output from a different system:

# nmap -sn

Starting Nmap 6.46 ( http://nmap.org ) at 2014-06-04 13:13 EDT
Nmap scan report for
Host is up (0.00052s latency).
MAC Address: 00:00:0C:11:AD:04 (Cisco Systems)
Nmap scan report for loc11.particles.com (
Host is up (0.00034s latency).
MAC Address: 00:50:65:A2:4C:67 (VMware)
Nmap scan report for vm11.particles.com (
Host is up (0.00034s latency).

Note that you can give nmap a single system as an argument or a subnet address such as the 256-address network specifications (254 usable IPs) shown in the examples above.

Because I'm generally interested in single-line-per-system results, I often pass the output of nmap through a Perl script that turns multi-line output as show in that last example into something that better meets my needs. This just pulls the interesting data from the three-lines-per-system output shown. It reads its data from whatever file you provide as an argument.

#!/usr/bin/perl -w

open NMAP,"<$ARGV[0]";

while (  ) {
    next if /Starting/;
    if ( /^Nmap scan report/ ) {
        s/Nmap scan report for //;
close NMAP;

This cuts the output that I need to look at down to this:
loc11.particles.com (
vm11.particles.com (

Many of nmap's options, such as OS fingerprinting, require root privilege. Some do not. In OS fingerprinting, nmap tries to determine what operating system is running on each system.

Photo Credit: 
Join us:






Spotlight on ...
Online Training

    Upgrade your skills and earn higher pay

    Readers to share their best tips for maximizing training dollars and getting the most out self-directed learning. Here’s what they said.


    Learn more

Operating SystemsWhite Papers & Webcasts

See more White Papers | Webcasts

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question