Articles

Nmap Ping Sweep: Discover Live Hosts on a Network (2026)

April 18, 2026 4 min read

The most surprising thing about Nmap’s ping sweep is that it’s not actually about "pinging" in the traditional ICMP Echo Request/Reply sense, but rather a multi-protocol probe to determine host liveliness.

Let’s see it in action. Imagine you’ve got a network segment, say 192.168.1.0/24, and you want to know which IPs are active. You’d run:

nmap -sn 192.168.1.0/24

Nmap starts by sending out a variety of probes. By default, for a privileged user (root/administrator), it’ll try:

  1. ICMP Echo Request: The classic ping. If the target responds with an ICMP Echo Reply, it’s alive.
  2. TCP SYN to port 443: If it receives a TCP SYN/ACK, it means the port is open and the host is listening. This is a "stealthy" way to check, as it doesn’t complete the handshake.
  3. TCP ACK to port 443: If it receives a TCP RST, it indicates the port is closed, but more importantly, the host responded. This is another way to confirm liveliness.
  4. UDP to port 31338: If it receives a UDP ICMP Port Unreachable message, the host is alive but the port is closed. If it receives any UDP response (even junk), it’s alive. If it gets no response, it might be alive, or it might be that the probe was dropped.

Nmap combines the results of these probes. If any of these probes elicit a response, Nmap marks the host as "up." This multi-protocol approach is key because firewalls often block ICMP but allow TCP or UDP traffic.

The -sn flag (formerly -sP) tells Nmap to perform a "ping scan" and skip port scanning. It’s purely for host discovery.

The Problem It Solves: Network administrators and security professionals need to know which IP addresses are currently in use on a network. This is fundamental for inventory, vulnerability assessment, and incident response. Manually checking each IP is impractical.

How It Works Internally: Nmap constructs these probes based on the target IP and the chosen scan type. It then sends them out, typically in parallel to speed things up. It maintains a list of targets and a timer for each. When a response is received, the target is marked as "up" and removed from the list of targets needing further probing. If a target doesn’t respond after a certain timeout (which Nmap dynamically adjusts), it’s marked as "down."

Levers You Control:

  • --max-retries: How many times Nmap will retransmit a probe if no response is received. Default is 3.
  • --host-timeout: Maximum time Nmap will spend on a single host. If it doesn’t get a response by then, it gives up on that host. Default is 10 minutes.
  • -T<0-5> (Timing Template): Controls the speed and aggressiveness. -T0 (paranoid) is very slow and stealthy, sending one packet at a time and waiting for replies. -T4 (aggressive) is common for fast scans on reliable networks. -T5 (insane) is even faster but can overwhelm networks or miss hosts.
  • -PS <portlist>: Explicitly probe with TCP SYN packets to specified ports. Example: -PS 80,443.
  • -PA <portlist>: Explicitly probe with TCP ACK packets. Example: -PA 22,80.
  • -PU <portlist>: Explicitly probe with UDP packets. Example: -PU 53,161.
  • -PE: Explicitly use ICMP Echo Request (the default for privileged users).
  • -PP: Explicitly use ICMP Timestamp Request.
  • -PM: Explicitly use ICMP Netmask Request.

When Nmap doesn’t have root privileges, it can’t craft raw packets for SYN/ACK/UDP probes. In this case, it falls back to using connect() system calls. This is less stealthy as it completes the TCP handshake if a port is open, and firewalls are more likely to detect or block it. The command would look similar, but the underlying mechanism changes:

nmap -sn 192.168.1.0/24

If run as a non-privileged user, Nmap will try:

  1. TCP SYN to port 443: If it receives SYN/ACK, it sends RST to tear down, host is up.
  2. TCP ACK to port 443: If it receives RST, host is up.
  3. UDP to port 31338: If it receives ICMP Port Unreachable, host is up.

The most subtle aspect of Nmap’s host discovery is how it handles responses that don’t explicitly confirm liveliness but do confirm the host is not down. For instance, receiving a TCP RST packet in response to a SYN probe to a closed port (-PS) is a positive indication that the host is up and reachable, even though the port itself is closed. Nmap interprets this RST as a sign of life.

The next thing you’ll likely encounter is needing to understand what ports are open on those discovered hosts.

Want structured learning?

Take the full Nmap course →