$ nmap -sP 192.168.1.0/24 Starting Nmap 4.68 ( http://nmap.org ) at 2009-04-03 07:05 HST Host 192.168.1.1 appears to be up. Host 192.168.1.3 appears to be up. Host 192.168.1.6 appears to be up. ... Nmap done: 256 IP addresses (10 hosts up) scanned in 1.373 secondsI initially just added &&arp -a | grep -v 'incomplete' to get the MAC addresses, but that was rather inelegant (and slow). Finally I stumbled onto the answer in the nmap book:
The -sP option sends an ICMP echo request and a TCP ACK packet to port 80 by default. When executed by an unprivileged user, only a SYN packet is sent (using a connect call) to port 80 on the target. When a privileged user tries to scan targets on a local ethernet network, ARP requests are used unless --send-ip was specified.I felt the gentle scolding of Holmes ("One more coruscation, my dear Watson ---- yet another brain-wave!") as I realized that most of the nmap examples were from a root prompt - ah!
$ sudo nmap -sP 192.168.1.0/24 Password: Starting Nmap 4.68 ( http://nmap.org ) at 2009-04-03 07:12 HST Host 192.168.1.1 appears to be up. MAC Address: 00:18:39:xx:xx:xx (Cisco-Linksys) Host 192.168.1.3 appears to be up. MAC Address: 00:0D:0B:xx:xx:xx (Buffalo) Host 192.168.1.6 appears to be up. MAC Address: 00:1F:F3:xx:xx:xx (Apple) ... Nmap done: 256 IP addresses (10 hosts up) scanned in 4.809 seconds
/nix | Apr 03, 2009