NMAP Output

Posted on 2005-04-18
Last Modified: 2013-12-04

Hello. Can anyone explain what this means when running NMAP scan to an ip range?

Host seems to be a subnet broadcast address (returned 18 extra pings). Note -- the actual IP also responded.

I can grasp that etc is a device. But what is .0 and what is "return 18 extra pings"?

Thank you. cee
Question by:ceeweb
    LVL 51

    Assisted Solution

    by:ahoffmann is a network not host IP, is the forst host IP in that network

    > returned 18 extra pings
    nmap detected in that network at least 18 unique host IPs

    Author Comment


    Hello ahoffmann, I understand that .1 is a host. I'm curious at the output, it's not an important problem. Just trying to learn.

    The output was from 0-10, ie scanning 10 hosts and there's around 80 odd hosts on the netowrk. I'm still confused what 18 extra pings means?

    thank you. cee
    LVL 51

    Expert Comment

    I guess you used nmap's -sS or -sT option, then your network, in particular the routers, are configured to return "ICMP host unreachable"for unknown IPs. If you care about the "extra pings" then try with option -PI
    LVL 7

    Accepted Solution

    The first and last IP of a subnet are reserved.  The first IP is the network address and the last IP is the broadcast address.  On many networks, the network address will also act as a broadcast address.

    If you have a typical "class C", or /24, network (denoted by netmask then the first IP will be .0 (network address), first usable IP will be .1, and last IP will be .255 (broadcast address).

    When you send packets, e.g. pings, to a broadcast address, it will be received by all the hosts on the subnet, and they will all respond.

    nmap is reporting that when it sent the ping packet to .0, it received more than one reply... 18 more replies than it expected.  If it had only received one reply, even if it's from a different IP than it pinged, it would still be one request, one reply.  Since there's 18 extra replies, it's telling you that, and indicating that it may be a broadcast address.  At least one hosts did also respond to the IP of .0, hence the "Note -- the actual IP also responded."

    Individual systems may choose to ignore broadcast packets, and as such, pinging a broadcast address is not a reliable method of finding all systems... but it can be useful.

    Expert Comment

    It is worth noting that you'll only get this message if you are allowing nmap to ping servers to see if they are available before it runs the scan. You often find that machines do not have ping enabled, so you get better results if you use -P0 to disable the ping. This will have the side effect of stopping the message you refer to.

    LVL 7

    Expert Comment

    Disabling ping will also prevent O/S fingerprinting from work, and may result in waiting for results from a non-existant host.  Everything has a caveat. :)

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Join & Write a Comment

    Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
    Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    how to add IIS SMTP to handle application/Scanner relays into office 365.

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now