In Part 1 of this series, we introduced you to network scanners in general, and an excellent free one in particular, Nmap. You also learned how to obtain and install Nmap. Here in Part 2, you’ll use Nmap to find out how many devices are active on your network. In Part 3, tomorrow, you’ll try your first network scan, and we’ll explain how to interpret the results.
This series assumes you have mastered basic concepts of networking, but do not have a lot of experience managing network security. To understand what follows, you should have a working grasp of IP addresses, subnet masks, and slash notation.
Getting Oriented on Your Own Network
If you’re going to scan your whole network at once — and you are! — you need to know your network IP address, a single address that represents your entire network..
You can learn your network IP address easily using the command line. If you don’t have your DOS prompt open, access it now (and if you don’t know how to, refer to the last paragraphs of Part 1). At the blinking prompt, type ipconfig and press Enter. Your results will differ from ours in the details, but will look generally like this:
C:\Program Files\Nmap>ipconfig
Windows IP Configuration
Ethernet adapter Wireless Network Connection 3:
Connection-specific DNS Suffix . :
In Part 1 of this series, we introduced you to network scanners in general, and an excellent free one in particular, Nmap. You also learned how to obtain and install Nmap. Here in Part 2, you’ll use Nmap to find out how many devices are active on your network. In Part 3, tomorrow, you’ll try your first network scan, and we’ll explain how to interpret the results.
This series assumes you have mastered basic concepts of networking, but do not have a lot of experience managing network security. To understand what follows, you should have a working grasp of IP addresses, subnet masks, and slash notation.
Getting Oriented on Your Own Network
If you’re going to scan your whole network at once — and you are! — you need to know your network IP address, a single address that represents your entire network..
You can learn your network IP address easily using the command line. If you don’t have your DOS prompt open, access it now (and if you don’t know how to, refer to the last paragraphs of Part 1). At the blinking prompt, type ipconfig and press Enter. Your results will differ from ours in the details, but will look generally like this:
C:\Program Files\Nmap>ipconfig
Windows IP Configuration
Ethernet adapter Wireless Network Connection 3:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.111.34
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.39.14
C:\Program Files\Nmap>
If you or your predecessor originally designed your network using the most common subnet masks such as 255.255.255.0 (in slash notation, /24), 255.255.0.0 (/16), or 255.0.0.0 (/8), it’s easy to figure out your network’s IP address, since it will always end in zero. For instance, based on the sample IPCONFIG above, you know our test computer has a 192.168.111.34 address and a 255.255.255.0 or /24 subnet mask. That subnet mask indicates that the first three octets of an address designate the network. We also just mentiond that the most common subnets, such as /24, always end in a zero for the network address. So the network address of our sample computer is 192.168.111.0/24.
However, when you subdivide networks into smaller pieces using less common subnet masks, it’s more difficult to find your network address without knowing how subnet masking works on a binary level . The network address won’t always end in zero, so then you have to calculate it. Don’t worry, though; we have a trick that will tell you your network IP address without any calculation at all.
Using the command prompt, the ROUTE command actually lists every network route on your computer. It’s intended to help you figure out how your computer reaches other networks, but that’s not how you’ll use it today. Besides having routes to other networks, your computer also has a route to your own local network. Your computer creates this route using your local network IP address. So, we’ll use the ROUTE command to display the routes to your local network, and in that way, see your network IP address.
In the command prompt, type:
route print 192*
If appropriate, eplace the “192″ with the first octet of your own computer’s IP address (which you learned from your IPCONFIG results). Then press Enter. Your results should resemble Figure 1 (showing your own IP addresses, of course):
Much of the ROUTE command’s output lists information about your network card that we don’t care about right now. In our sample output, we’ve displayed the line of interest in orange text. The first IP address in our output shows our network IP address: 192.168.111.0 with the subnet mask 255.255.255.0 (or 192.168.111.0/24). Similarly, your network IP address should be the first IP address you see in your output.
Presto! You now have the address you need in order to scan your entire network. So let’s get back to Nmap.
How nmap counts your networked devices
We’re helping you get acquainted with Nmap, but you hardly need us if you’re willing to experiment a little and read a lot. To access Nmap’s help file, at the command prompt just type nmap and press Enter. That’s one convenient way to learn about Nmap’s options.
Though nmap is a port scanner, you can use it to do many things. For starters, we’ll use the ping command to automate the task of counting how many computers are currently active on your network. In the command prompt, type
nmap -sP 192.168.111.0/24
(Of course, replace our sample network’s IP address with your network IP address.) You should see a result similar to this:
C:\Program Files\Nmap>nmap -sP 192.168.111.0/24
Starting Nmap 4.20 (http://www.insecure.org/nmap )
at 2007-05-08 12:18 Pacific Standard Time
Host 192.168.111.1 appears to be up.
MAC Address: 00:01:02:55:73:C3 (3com)
Host 192.168.111.3 appears to be up.
MAC Address: 00:10:5A:27:5C:44 (3com)
Host 192.168.111.254 appears to be up.
MAC Address: 00:90:7F:2E:1D:FB (WatchGuard Technologies)
Host frodolinux.hogwarts.lsstest.dyndns.org
(192.168.111.16)appears to be up.
MAC Address: 00:04:76:22:C6:65 (3 Com)
Host 192.168.111.34 appears to be up.
Host 192.168.111.126 appears to be up.
MAC Address: 00:10:4B:0E:E6:E6 (3com)
Nmap finished: 256 IP addresses (6 hosts up)
scanned in 5.797 seconds
When you ran that command, Nmap pinged every IP address in the range of the network IP address you supplied. Nmap lists information for the IPs that responded to this request. So the list of IP addresses in our sample result show networked devices that currently respond to ping requests. In this example, Nmap found the following six IPs active on our test network:
- 192.168.111.1
- 192.168.111.3
- 192.168.111.254
- 192.168.111.16
- 192.168.111.34
- 192.168.111.126
As you might guess, this is not the most accurate count possible. If you divide some segments of your network using an internal firewall, the firewall might hide any devices behind it. And devices on your network that are powered off when you scan won’t respond. But the results are still useful. Repeat the command over time to learn what “normal” is on your network. If a daily scan typically returns 18 to 22 authorized devices, and one day it finds 35, you know it’s time to investigate. (Maybe one of the engineers added a rogue wireless access point and now the neighboring businesses are piggybacking onto your WiFi Internet access.)
If you have many active IPs on your network, your Nmap ping results quickly scroll off the command prompt window. Here are two methods to run the same command, managing the output in different ways. You can use these methods when running any command line application:
- To pause output before it scrolls off screen, add | more
Example: Nmap -sP 192.168.111.0/24 | more
(Press your spacebar or the Enter key to continue output)
- To capture output to a text file, specify a file name
Example: Nmap -sP 192.168.111.0/24 > filename.txt
(Change “filename” to any name you like)
Using Nmap to automate your pings, rather than manually pinging hundreds of addresses yourself, is cool. You now know how many devices respond on your network. But that’s not even Nmap’s primary purpose! You want to use it to port scan your network. So let’s do it — in Part 3, tomorrow. ##
Back to Part 1