tinyapps.org / blog


nmap not displaying MAC addresses #

This will be obvious to regular nmap users, but Google did not turn up a quick and ready answer for why MAC addresses were not appearing during a ping scan:
$ nmap -sP 192.168.1.0/24

Starting Nmap 4.68 ( http://nmap.org ) at 2009-04-03 07:05 HST
Host 192.168.1.1 appears to be up.
Host 192.168.1.3 appears to be up.
Host 192.168.1.6 appears to be up.
...
Nmap done: 256 IP addresses (10 hosts up) scanned in 1.373 seconds
I initially just added &&arp -a | grep -v 'incomplete' to get the MAC addresses, but that was rather inelegant (and slow). Finally I stumbled onto the answer in the nmap book:
The -sP option sends an ICMP echo request and a TCP ACK packet to port 80 by default. When executed by an unprivileged user, only a SYN packet is sent (using a connect call) to port 80 on the target. When a privileged user tries to scan targets on a local ethernet network, ARP requests are used unless --send-ip was specified.
I felt the gentle scolding of Holmes ("One more coruscation, my dear Watson ---- yet another brain-wave!") as I realized that most of the nmap examples were from a root prompt - ah!
$ sudo nmap -sP 192.168.1.0/24
Password:

Starting Nmap 4.68 ( http://nmap.org ) at 2009-04-03 07:12 HST
Host 192.168.1.1 appears to be up.
MAC Address: 00:18:39:xx:xx:xx (Cisco-Linksys)
Host 192.168.1.3 appears to be up.
MAC Address: 00:0D:0B:xx:xx:xx (Buffalo)
Host 192.168.1.6 appears to be up.
MAC Address: 00:1F:F3:xx:xx:xx (Apple)
...
Nmap done: 256 IP addresses (10 hosts up) scanned in 4.809 seconds

/nix | Apr 03, 2009


Subscribe or visit the archives