Host discovery is the step where Nmap checks which devices are alive on a network—without scanning ports. This helps map out the network and avoid wasting time scanning offline machines.
Basic Host Discovery
nmap -sn 192.168.1.0/24This tells Nmap to skip port scans and only show which hosts are online in the entire subnet.
nmap -sn 192.168.1.15The above example will scan a single IP address without scanning any ports on the target.
nmap 192.168.1.23-100This example will scan targets where the host octet goes from 23 to 100.
Scan Methods & When to Use Them
Nmap uses different probes to detect live hosts. Each has strengths depending on the environment.
| Method | Flag | How It Works | Best For |
|---|---|---|---|
| ICMP Echo | -PE | Sends ping (like ping command) | Open networks without ping restrictions |
| ARP Scan | -PR | Sends ARP request to get MAC | Local LAN scans (very reliable) |
| TCP SYN Ping | -PS | Sends TCP SYN to selected ports | Networks where ICMP is blocked |
| TCP ACK Ping | -PA | Sends TCP ACK to selected ports | Firewall behavior testing |
| UDP Ping | -PU | Sends empty UDP packet to a port | Less common, can bypass some firewalls |
| Combined Probes | Multiple | Uses ICMP + TCP/UDP | Stealthier scans or complex environments |
Choosing the Right Method
Each network behaves differently, so here’s how to decide:
- LAN (home or office) → ARP scan (default for local scans)
- Cloud or external servers → ICMP or TCP SYN (
-PE,-PS) - ICMP blocked → Use
-PSor-PAto send TCP-based probes - Bypassing firewalls → Mix UDP and TCP (
-PU,-PS) - Stealthier scan → Avoid
-PE, rely on-PSto common ports (like 80, 443)
Here’s How Each Works:
-PS (TCP SYN Ping)
Sends a TCP SYN packet to one or more specified ports. If the host responds with a SYN-ACK or RST, it’s considered up.
nmap -sn -PS22,80,443 192.168.1.0/24Used when:
- ICMP is blocked
- You want to check common TCP ports (e.g., 80 for HTTP)
-PA (TCP ACK Ping)
Sends a TCP ACK packet instead of a SYN. It relies on the response or ICMP error to detect if the host is alive.
nmap -sn -PA80 192.168.1.0/24Used for:
- Firewalls that don’t block ACKs
- Understanding firewall behavior
-PU (UDP Ping)
Sends a UDP packet to a given port. If the host is closed, it usually responds with an ICMP “port unreachable” message, confirming it’s online.
nmap -sn -PU53 192.168.1.0/24Used when:
- You want to test UDP reachability
- The host might respond over a known open UDP port (like 53 for DNS)
Why -PE Doesn’t Need a Port
ICMP Echo (what -PE uses) is the same as what the standard ping command sends. It’s a layer 3 protocol and doesn’t use ports at all—it goes directly to the IP layer.
That means:
- There’s no concept of ports in ICMP Echo
- You’re simply checking if the host replies to a ping
So this command:
nmap -sn -PE 192.168.1.0/24Tells Nmap:
- “Do a host discovery scan” (
-sn) - “Use ICMP Echo Request” (
-PE) - “Scan this subnet”
Nmap will send ICMP packets to each IP and look for ICMP Echo Replies to see which devices are online.