Image
How to troubleshoot your network with Nmap
Learn how to use Nmap scans to check if systems are online and find problems in your network.
Expert troubleshooting skills are a must for sysadmins. Understanding how to identify and resolve problems that you come across is crucial to creating the best resolutions. Tools help you be successful in the quest for answers. Nmap is a helpful tool for security and IT professionals.
Without understanding what network ports are open, it would be impossible to assess a system's security. System administrators use Nmap to check if systems are online and help discover any problems in their network. You can also detect operating system versions, determine whether services are online, test embedded network stacks, and even identify aggressive network traffic.
[ Keep common tasks top of mind with this handy Linux commands cheat sheet. ]
Install Nmap
There are a few ways to install Nmap on Linux. With recent distributions, it is pretty simple to install. For example, on Red Hat Enterprise Linux, Fedora, and similar distributions, type:
$ sudo dnf install nmap
The most recent builds are always available from the source, which is available at Insecure.org, but many distros already have it installed and ready to use.
Next, I'll review some common ways system administrators use Nmap.
Run a default scan
Once you have Nmap installed and you've chosen your target, it's pretty straightforward from there. Here is a default scan:
$ nmap scanme.nmap.org
In the output you receive, the leftmost column displays the port number and protocol (for example, 22/tcp, 80/tcp, and so forth). This scan shows whether the port is open and what service is using it. Nmap can display more detailed information, such as the service version, but you must specify a service version scan to identify the actual service version.
Do a service version scan
Add the -sV
flag to run a service version scan. The output will provide more details, like the patch versions of the services. This information is incredibly helpful for security assessments. Vulnerabilities are found in specific software versions, so having these granular details is beneficial from a defensive standpoint.
It's important to note that Nmap does not show all closed and open ports; by default, it displays only the top 1,000 ports because the output gets cluttered. You can increase the verbosity of the scan to show these details. The top ports displayed are not necessarily the first 1,000 ports but rather the most commonly open ones.
Log scans
Viewing the scan output is helpful, but what about longer-term assessments? Or for crazy long scans? That's where logging comes in.
Nmap supports three different logging formats: .xml, .nmap, and .gmap. Gmap stands for grepable nmap. Each format has a different supporting flag, but you can simply use the -oA
flag to get all output. It will automatically save all three file extensions:
$ nmap scanme.nmap.org -oA logbase
$ cat logbase.nmap | grep open
Specify scan ranges
Many sysadmins run services on high ports so that they are not detected through normal scans. But security through obscurity isn't the best way to go about it. To detect hosts on particular ports, specify a port with the -p
flag.
For example, if you only want to scan port 80 on scanme.nmap.org, you can enter:
$ nmap -p 80 scanme.nmap.org
This flag works for port ranges as well. So, for example, if you want to scan all privileged ports (1- 1024), you can use:
$ nmap -p 1-1024 scanme.nmap.org
[ Free eBook: Manage your Linux environment for success. ]
Another choice to consider is the –reason
flag. You can use this to help determine how Nmap reached its conclusions. For example, it may show a SYN-ACK response to a SYN request. Since that service is attempting a three-way handshake, that verifies that something is listening.
Now that I've covered how to run Nmap on multiple ports, I'll discuss how to detect the host target using various methods, scan devices attempting to hide, and more.
Detect host targets
Because so many people attempt to hide their hosts from the internet, it's important to identify if hosts are online or offline. Nmap has several ways to determine this.
The easiest way is to run a ping sweep. You can run the ping
command; however, running a sweep with Nmap allows for greater efficiency by using a larger network scope. You can use the -sn
flag to run a ping-only sweep. Since it only runs ping
and not a full port scan, it will show which hosts are online or offline.
Sometimes you may need to take the scan a bit further. As mentioned previously, some system administrators hide their systems from the internet by ignoring ping
requests. Fortunately, Nmap supports an agnostic option for scanning systems, which the next section covers.
Run a ping agnostic scan
Normal Nmap scans run a ping sweep first and then check the specified ports (based on the ranges provided). If hosts do not respond to a ping
, those systems will not be fully scanned—even if they are online! You can skip the ping sweep with the -Pn
flag to run a full scan. This scan generally takes longer to run, but in the end, it's helpful to identify hosts that were missed originally. Run this scan with:
$ nmap -Pn -n scanme.net
It's also useful to use the -sL
flag, which runs a simple list to scan the target ranges. This can be useful for reverse DNS lookups and to identify what hosts are online in a specified range:
$ nmap 1.1.1.1 -sL
There is another useful feature of Nmap: a TCP SYN ping scan. In place of an ICMP ping, the TCP SYN ping can treat the target host as online if it responds to a SYN request on a specific port. For example, when scanning an IP block that normally runs web servers, using -PS 80
displays the hosts as online, so long as they respond on port 80.
Wrap up
Nmap is a powerful tool for most system administrators. Various ways to utilize the tool allow admins to work more quickly and efficiently. The better use you make of your troubleshooting skills, the quicker you will resolve issues effectively.
Image
The NSE boosts Nmap's power by adding scripting capabilities (custom or community-created) to the network scanning tool.
Image
Intermittent network connectivity errors can be hard to diagnose, especially if they happen between monitoring checks.
Image
Find out what's stopping you from accessing a server, printer, or another network resource with these four Linux troubleshooting commands.
Topics:
Linux administration
Troubleshooting
Gabrielle Stenzel
I currently work as a Cloud Support Supervisor for Acronis . I have worked with Linux and OpenSource tools for a decade, constantly wanting to make new resolutions for obstacles and always training others on improving systems as a systems administrator. More about me