nmap output interpretation?

[blueaxis]

I scanned 5 hosts in my local network using basic nmap command.

#nmap ip-1, ip-2, ip-3, ip-4, ip-5

what I didn’t quite understand is at the end of the scan why did nmap reported it scanned 9 ip addresses.

Nmap done: 9 IP addresses (5 hosts up) scanned in 30.47 seconds

Any idea what’s going on here?

Appreciate your help.

[Dark_Knight]

Try using the -v option for more details…. You could also run a sniffer during the scan to exactly what is happening.

[hurtl0cker]

Use the Verbose output option using ‘-v’ command line flag or Increase the verbosity level using ‘-vv’

try using ‘–packet-trace’ command line flag, this option causes Nmap to print a summary of every packet it sends and receives. This can be extremely useful for debugging or understanding Nmap’s behavior.

[hayabusa]

Or to add to hurtl0cker’s packet trace thought, fire up Wireshark, and see what you’re actually sending / receiving from nmap, too.  It’s a good way to learn, by seeing what your selected options are actually doing, under the covers.

[blueaxis]

Thanks everyone for your advise. I did try the verbose option.

It appears nmap is scanning 192.168.xx.0 ip address multiple times. I didn’t ask nmap to scan that host by the way. Not sure if that is the default behavior.

[SephStorm]

Good learning experiment  😉

[hayabusa]

So, blueaxis…  Let me ask you this, as you think about your nmap question:

What IS that 192.168.xx.0 address?  (As if I don’t know  ;))  Might help you understand the behavior a bit, down the road…

[blueaxis]

It appears that “.0” address would be a broadcast address. Feel free to correct me if that isn’t the case.

[rattis]

.0 is more than likely the network address. network address is the first address in the block, the broadcast is the last.

[SephStorm]

Thats correct, .0 generally represents the default class C network address. Unless the network is subnetted the broadcast address would be .254, right?

[eth3real]

I believe the broadcast address would be 192.168.xx.255

If you wanted to scan your entire subnet (assuming the subnet mask is 255.255.255.0), you could do this:
# nmap 192.168.xx.0/24

happy hacking, nmap is a lot of fun and an amazing asset once you learn it. 🙂

[blueaxis]

Some more updates on this.

This time I made sure wireshark is enabled while performing the nmap scan, to my strangeness 192.168.xx.0 doesn’t show up in the capture. It’s however displayed in the nmap output.

I will try it couple more times today and see if I can spot anything.

[SephStorm]

IMO, Nmap is likely telling you something about the network itself. I havent tried it to see if this is normal, but in any case, you wont see any packets from .0, as it cant be assigned to network devices, nor can the broadcast address.

[idr0p]

My guess if you look at captures.

you are scanning

x.0, x.1,x.2,x.3,x.4

nmap scans
x.1 – gets response
x.2 – gets response
x.3 – gets response
x.4 – gets response
x.0 – (network scan) gets response from x.1,x.2,x.3,x.4
Nmap now goes.. oohh more things to play with so it scans all the ips that respond.
x.1 – gets response
x.2 – gets response
x.3 – gets response
x.4 – gets response

= 9 instances.

[Triban]

@eth3real wrote:

I believe the broadcast address would be 192.168.xx.255

If you wanted to scan your entire subnet (assuming the subnet mask is 255.255.255.0), you could do this:
# nmap 192.168.xx.0/24

unless you come across something like this: 192.168.0.0/27  >:(

Then your broadcast is 192.168.0.31 and network is 192.168.0.1 (I hate you CCNA book but some day I will finish you).

[mambru]

unless you come across something like this: 192.168.0.0/27  Angry

Then your broadcast is 192.168.0.31 and network is 192.168.0.1

This is usually true, there are some cases where the network address works as broadcast tough

http://www.whitehats.ca/main/members/Jeff/gcia_assign_2/gcia_assign_2.html

http://www.netbsd.org/docs/guide/en/chap-net-practice.html#chap-net-practice-kernel-options

[ev0wpnz]

Can you provided us with a screen shot of a copy and paste of the command ran and the output. I think this would be much more helpful in diagnosing this issue.

[Author]

Posts