Nmap can do more than just find open ports; it can actually help you map out your network’s topology, showing you not just hosts, but the links between them.
Let’s say you’ve got a small subnet, 192.168.1.0/24, and you want to see how devices are connected.
sudo nmap -sn -PE -T4 192.168.1.0/24 -oG nmap_scan.gnmap
This command initiates a ping scan (-sn) using ICMP echo requests (-PE) at a brisk pace (-T4) across your subnet, saving the "grepable" output to nmap_scan.gnmap. The beauty of the grepable format is its machine-readability.
Now, let’s parse that output to reveal some basic topology. We’re looking for hosts that are up and their MAC addresses, which are often indicative of local network proximity.
grep "Status: Up" nmap_scan.gnmap | grep -oP "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}.*?MAC: \S+"
This grep command filters for lines indicating an "Up" status and then extracts the IP address along with the MAC address. You’ll see output like this:
192.168.1.1 255.255.255.0 00:1A:2B:3C:4D:5E
192.168.1.100 255.255.255.0 00:DE:AD:BE:EF:01
192.168.1.150 255.255.255.0 00:CA:FE:BA:BE:02
This gives us a list of devices and their MAC addresses. In a typical flat network, devices with MAC addresses in the same OUI (the first three octets, e.g., 00:1A:2B) are likely on the same physical segment or switched network. However, Nmap’s topology mapping goes deeper.
To truly see links, we need to leverage Nmap’s traceroute capabilities. This probes routers hop-by-hop to determine the path packets take.
sudo nmap -sT -T4 --traceroute 192.168.1.0/24 -oG nmap_topo_scan.gnmap
Here, -sT performs a TCP connect scan, which is necessary for traceroute to work reliably, and --traceroute enables the hop-by-hop analysis. The output, again in grepable format, will contain information about each hop.
Let’s process this to visualize the network path. We’ll look for entries that describe the traceroute hops and then try to infer connections.
awk '/^Host:/{ip=$2; mac=$3} /^TRACEROUTE:/{hop=$3; ip_hop=$4} END{print ip, mac, hop, ip_hop}' nmap_topo_scan.gnmap
This awk script is a bit more involved. It stores the host IP and MAC, then when it encounters a traceroute hop, it records the hop number and the IP address of that hop. The END block prints the host IP/MAC and the last hop seen for that host. This isn’t a perfect topology builder, but it shows you the gateway router for each host.
For a more explicit link visualization, we can analyze the traceroute output directly. Nmap’s traceroute output lists the routers and the times it took to reach them.
Consider this snippet from a traceroute scan:
Host: 192.168.1.100 () Status: Up
TRACEROUTE:
1 192.168.1.1 1.234 ms
2 10.0.0.1 5.678 ms
3 192.168.50.1 10.111 ms
4 172.16.10.5 15.222 ms
Here, 192.168.1.1 is likely your local router. The subsequent IPs (10.0.0.1, 192.168.50.1, 172.16.10.5) represent routers further upstream. By running this scan against multiple hosts, you can start to see which routers are shared paths. If 192.168.1.101 also shows 10.0.0.1 as its second hop, you’ve identified a common upstream router.
The most surprising thing about Nmap’s topology mapping is that its traceroute feature doesn’t just show you the path to a single destination; it reveals the intermediary routers that all hosts on the scan target share. This means you can infer the structure of the network beyond your immediate subnet by looking at which upstream routers are common across multiple hosts.
This process builds a mental model where you first identify the devices on your local segment (using ARP/MAC addresses from ping scans), and then, by examining traceroute paths, you identify the gateway for each device and the subsequent routers that form the backbone or WAN links. The "levers" you control are the scan types (ping, traceroute), the speed (-T levels), and the output formats, which dictate how much detail you can extract about the network path.
The real power comes when you combine this with Nmap’s service version detection. By scanning for open ports (-sV) after you’ve mapped the topology, you can correlate specific services running on devices with their position in the network hierarchy. For instance, you might find that all devices using a specific upstream router are running the same firmware or pointing to a particular DNS server.
The next logical step after mapping device-to-router links is to understand the protocols and services that those routers themselves are speaking.