How to Discover All Active Hostnames and IPs on Your LAN Using Nmap: A Comprehensive Guide for Network Administrators


3 views

Network scanning is fundamental for administrators to map their LAN environment. The most efficient tool for this task is nmap, which can identify both active IP addresses and their corresponding hostnames.

For a quick scan that shows both IPs and hostnames:

nmap -sn 192.168.1.0/24

This performs a ping sweep (-sn) without port scanning. The output will display:

  • Active IP addresses
  • MAC addresses (if run as root)
  • Reverse DNS names

For more detailed information:

sudo nmap -sP --dns-servers 8.8.8.8 192.168.1.0/24

Parameters explanation:

  • -sP: Ping scan (similar to -sn)
  • --dns-servers: Forces use of specified DNS for reverse lookups

While nmap is powerful, other options exist:

# Using arp-scan (requires installation)
sudo arp-scan --localnet --interface=eth0

# Using fping for quick detection
fping -a -g 192.168.1.0/24 2>/dev/null

Here's a complete workflow with nmap:

# First, identify network interface
ip addr show

# Then scan using the correct subnet
sudo nmap -sn -PE --dns-servers 8.8.8.8 192.168.0.0/24 -oN lan_scan.txt

# Filter output for just IPs and hostnames
grep "Nmap scan" lan_scan.txt | awk '{print $5, $6}'

For ongoing monitoring, create a bash script:

#!/bin/bash
DATE=$(date +%Y-%m-%d)
nmap -sn 192.168.1.0/24 -oX scan_$DATE.xml
xsltproc scan_$DATE.xml -o network_report_$DATE.html

The simplest way to scan your LAN for active hosts is:

nmap -sn 192.168.1.0/24

This performs a ping sweep (-sn) on the 192.168.1.0/24 subnet. Replace with your actual network range.

To include hostname resolution in your scan:

nmap -sn 192.168.1.0/24 --resolve-all

The --resolve-all flag forces Nmap to resolve every IP to a hostname.

For a cleaner output showing just IPs and hostnames:

nmap -sL 192.168.1.0/24

This performs a "list scan" which doesn't actually probe hosts but shows DNS resolution.

When devices block ICMP (ping), use this more comprehensive approach:

nmap -sn -PE -PS21,22,23,80,443,3389 -PU53,67 192.168.1.0/24

This combines multiple discovery techniques:

  • -PE: ICMP echo request
  • -PS: TCP SYN ping on common ports
  • -PU: UDP ping on DNS/DHCP ports

To save the output for later analysis:

nmap -sn --resolve-all 192.168.1.0/24 -oN network_hosts.txt

The -oN option saves results in normal format (use -oX for XML).

If you prefer GUI tools or other command-line alternatives:

  • Angry IP Scanner: Great graphical interface
  • arp-scan: Fast layer 2 discovery tool
  • fping: Rapid ping sweeping utility

For arp-scan example:

sudo arp-scan --localnet

For networks with proper reverse DNS setup:

nmap -sn --dns-servers 192.168.1.1 --resolve-all 192.168.1.0/24

Specifying a DNS server can improve hostname resolution accuracy.

While not strictly about host discovery, adding OS detection can help identify device types:

nmap -O --osscan-limit 192.168.1.0/24

The --osscan-limit option only performs OS detection on responsive hosts.

Create a bash script to format the output more cleanly:

#!/bin/bash
nmap -sn 192.168.1.0/24 --resolve-all | 
awk '/Nmap scan report for/ {ip=$NF; getline; host=$0; sub("^.*for ", "", host); print ip, host}'