To discover live hosts on your local network using Nmap, the most effective command is **`sudo nmap -sn <target_network>`**. The **-sn** flag (formerly -sP) disables port scanning and performs a host discovery ping sweep, which is faster and less intrusive than a full scan.
Here are the specific commands based on your network setup:
### 1. Standard Local Network Scan (Same Subnet)
If you are on the same subnet as the target devices, Nmap defaults to ARP discovery, which is highly reliable because ARP requests are rarely blocked by firewalls.
“`bash
sudo nmap -sn 192.168.1.0/24
“`
*Replace `192.168.1.0/24` with your specific subnet CIDR notation.*
### 2. Remote or Cross-Subnet Scan
If scanning a different subnet or remote network, ARP is not used. Nmap will attempt ICMP echo (ping), TCP SYN to port 443, and TCP ACK to port 80 by default.
“`bash
sudo nmap -sn 10.0.0.0/24
“`
### 3. Customizing Discovery Probes
If hosts are being missed (often due to firewalls blocking ICMP), you can specify alternative discovery methods:
* **ICMP Echo Only**: `sudo nmap -sn -PE <network>`
* **ICMP Timestamp Only**: `sudo nmap -sn -PP <network>`
* **ICMP Address Mask Only**: `sudo nmap -sn -PM <network>`
* **TCP SYN to Specific Port**: `sudo nmap -sn -PS80,443 <network>`
* **UDP Scan**: `sudo nmap -sn -PU161 <network>`
### Key Options for Output Control
* **`-n`**: Disables reverse DNS resolution, making the scan significantly faster.
* **`-oA <filename>`**: Saves the output in all formats (XML, Nmap, Grepable) for later analysis.
* **`-v`**: Increases verbosity to show detailed progress.
**Example for a fast, clean output:**
“`bash
sudo nmap -sn -n 192.168.1.0/24
“`
Leave a Reply