Skip to main content

How to troubleshoot your network with Nmap

Learn how to use Nmap scans to check if systems are online and find problems in your network.
Image
Magnifying glass

Expert troubleshooting skills are a must for sysadmins. Understanding how to identify and resolve problems that you come across is crucial to creating the best resolutions. Tools help you be successful in the quest for answers. Nmap is a helpful tool for security and IT professionals.

Without understanding what network ports are open, it would be impossible to assess a system's security. System administrators use Nmap to check if systems are online and help discover any problems in their network. You can also detect operating system versions, determine whether services are online, test embedded network stacks, and even identify aggressive network traffic.

[ Keep common tasks top of mind with this handy Linux commands cheat sheet. ]

Install Nmap

There are a few ways to install Nmap on Linux. With recent distributions, it is pretty simple to install. For example, on Red Hat Enterprise Linux, Fedora, and similar distributions, type:

$ sudo dnf install nmap

The most recent builds are always available from the source, which is available at Insecure.org, but many distros already have it installed and ready to use.

Next, I'll review some common ways system administrators use Nmap.

Run a default scan

Once you have Nmap installed and you've chosen your target, it's pretty straightforward from there. Here is a default scan:

$ nmap scanme.nmap.org

In the output you receive, the leftmost column displays the port number and protocol (for example, 22/tcp, 80/tcp, and so forth). This scan shows whether the port is open and what service is using it. Nmap can display more detailed information, such as the service version, but you must specify a service version scan to identify the actual service version.

Do a service version scan

Add the -sV flag to run a service version scan. The output will provide more details, like the patch versions of the services. This information is incredibly helpful for security assessments. Vulnerabilities are found in specific software versions, so having these granular details is beneficial from a defensive standpoint.

It's important to note that Nmap does not show all closed and open ports; by default, it displays only the top 1,000 ports because the output gets cluttered. You can increase the verbosity of the scan to show these details. The top ports displayed are not necessarily the first 1,000 ports but rather the most commonly open ones.

Log scans

Viewing the scan output is helpful, but what about longer-term assessments? Or for crazy long scans? That's where logging comes in.

Nmap supports three different logging formats: .xml, .nmap, and .gmap. Gmap stands for grepable nmap. Each format has a different supporting flag, but you can simply use the -oA flag to get all output. It will automatically save all three file extensions:

$ nmap scanme.nmap.org -oA logbase

$ cat logbase.nmap | grep open

Specify scan ranges

Many sysadmins run services on high ports so that they are not detected through normal scans. But security through obscurity isn't the best way to go about it. To detect hosts on particular ports, specify a port with the -p flag.

For example, if you only want to scan port 80 on scanme.nmap.org, you can enter:

$ nmap -p 80 scanme.nmap.org

This flag works for port ranges as well. So, for example, if you want to scan all privileged ports (1- 1024), you can use:

$ nmap -p 1-1024 scanme.nmap.org

[ Free eBook: Manage your Linux environment for success. ]

Another choice to consider is the –reason flag. You can use this to help determine how Nmap reached its conclusions. For example, it may show a SYN-ACK response to a SYN request. Since that service is attempting a three-way handshake, that verifies that something is listening.

Now that I've covered how to run Nmap on multiple ports, I'll discuss how to detect the host target using various methods, scan devices attempting to hide, and more.

Detect host targets

Because so many people attempt to hide their hosts from the internet, it's important to identify if hosts are online or offline. Nmap has several ways to determine this.

The easiest way is to run a ping sweep. You can run the ping command; however, running a sweep with Nmap allows for greater efficiency by using a larger network scope. You can use the -sn flag to run a ping-only sweep. Since it only runs ping and not a full port scan, it will show which hosts are online or offline.

Sometimes you may need to take the scan a bit further. As mentioned previously, some system administrators hide their systems from the internet by ignoring ping requests. Fortunately, Nmap supports an agnostic option for scanning systems, which the next section covers.

Run a ping agnostic scan

Normal Nmap scans run a ping sweep first and then check the specified ports (based on the ranges provided). If hosts do not respond to a ping, those systems will not be fully scanned—even if they are online! You can skip the ping sweep with the -Pn flag to run a full scan. This scan generally takes longer to run, but in the end, it's helpful to identify hosts that were missed originally. Run this scan with:

$ nmap -Pn -n scanme.net

It's also useful to use the -sL flag, which runs a simple list to scan the target ranges. This can be useful for reverse DNS lookups and to identify what hosts are online in a specified range:

$ nmap 1.1.1.1 -sL

There is another useful feature of Nmap: a TCP SYN ping scan. In place of an ICMP ping, the TCP SYN ping can treat the target host as online if it responds to a SYN request on a specific port. For example, when scanning an IP block that normally runs web servers, using -PS 80 displays the hosts as online, so long as they respond on port 80.

Wrap up

Nmap is a powerful tool for most system administrators. Various ways to utilize the tool allow admins to work more quickly and efficiently. The better use you make of your troubleshooting skills, the quicker you will resolve issues effectively.

Author’s photo

Gabrielle Stenzel

I currently work as a Cloud Support Supervisor for Acronis . I have worked with Linux and OpenSource tools for a decade, constantly wanting to make new resolutions for obstacles and always training others on improving systems as a systems administrator. More about me

Try Red Hat Enterprise Linux

Download it at no charge from the Red Hat Developer program.