Fastest way to scan all hosts that are online

ping icmp nmap

I am looking to find all the hosts that are online in a set of networks.

I would like to find all hosts that are online in the entire network of 170.10.. (there are ~64K possible hosts). The network I am trying to scan is an internal local network.

I used nmap tool. But it takes about 50 mins, which is way too long. Out of the 64K hosts, there are possible only about 20-40 hosts online. But the problem is they may be in any (or in one or more) network out of the possible 256 networks.

I am looking for a way to quickly figure out this. I don't think using ping command will help either as pinging 64K hosts is not going to be any faster.

I am looking for any alternate solution, perhaps broadcasting ICMP packets directly to all 256 networks or something similar.

Any ideas/suggestions? Thanks.


Solution 1:

short answer: nmap -sn -T5 --min-parallelism 100 subnet/mask -oG output.file.txt; grep -v Down output.file.txt

explanation: nmap alone should be able to scan much faster. We'll start by limiting nmap to do ping scans with -sP (newer versions replaced -sP with -sn)

From man nmap:

TIMING AND PERFORMANCE:
     Options which take <time> are in seconds, or append 'ms' (milliseconds),
     's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
     -T<0-5>: Set timing template (higher is faster)
     --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
     --min-parallelism/max-parallelism <numprobes>: Probe parallelization
     --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
         probe round trip time.
     --max-retries <tries>: Caps number of port scan probe retransmissions.
     --host-timeout <time>: Give up on target after this long
     --scan-delay/--max-scan-delay <time>: Adjust delay between probes
     --min-rate <number>: Send packets no slower than <number> per second
     --max-rate <number>: Send packets no faster than <number> per second

Time for a little experiment with just running more ping scans parallel --max-parallelism and throwing caution about being detected in the wind -T5:

nmap without any options:

% time nmap -sP 192.168.1.0/24 
[...]
nmap -sP 192.168.1.0/24  0.04s user 0.02s system 2% cpu 2.917 total
% time nmap -T5 --max-parallelism=100 -sP 192.168.1.0/23
[...]
nmap -sP 192.168.1.0/23  0.08s user 0.04s system 0% cpu 37.469 total

nmap with timing options:

% time nmap -T5 --max-parallelism=100 -sP 192.168.1.0/24
[...]
nmap -T5 --max-parallelism=100 -sP 192.168.1.0/24  0.03s user 0.03s system 3% cpu 2.016 total
% time nmap -T5 --max-parallelism=100 -sP 192.168.1.0/23
[...]
nmap -T5 --max-parallelism=100 -sP 192.168.1.0/23  0.11s user 0.02s system 2% cpu 4.869 total

Quite the improvement.

For a /16 subnet scan, like OP asked:

Nmap done: 65536 IP addresses (30 hosts up) scanned in 169.43 seconds
nmap -sP -T5 --min-parallelism 100 --max-parallelism 256 192.168.0.0/16  44.67s user 8.45s system 31% cpu 2:49.44 total

To throw @Dan's suggestion in the mix too, I got bored after hitting 5 minutes with fping still running :-)

Related

How to find all hostnames (even laptops that aren't currently on the network) on a network?
RAID 10 - many slow disks vs fewer fast disks
Intel Xeon processors: Difference between 2S/4S and S2S/S4S scalability
How to set an IP address in server_name directive, not a domain name?
Deploying to multiple accounts with Terraform?
How to resize main filesystem
No space left on device - Fedora 23 [closed]
What do you do to verify that your network is secure? [closed]
General tips for interpreting error logs [closed]
Limit Transfer Speed on Windows 2008
Convince System Administrator that File Uploads can be Okay?
Advice for a start-up (VPS, Dedicatedm, Co-hosted?)