Best practice to discover network hosts?

Question

I'm creating a python networking program and need to discover all the usable hosts on the network such as phones and desktops on Linux. What works better, NMAP, Arp-Scan, arp, or something else?

I've tried this to discover hosts with NMAP:

nmap -n -sn 192.168.1.0/24 | awk '/is up/ {print up}; {gsub (/\(|\)/,""); up = $NF}'

This for Arp-Scan:

sudo arp-scan -I wlp1s0 -l

And this for ARP:

arp -a

Running each of these commands, one after another, I get these results:

seth@pixel:~$ sudo arp-scan -I wlp1s0 -l
Interface: wlp1s0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.1.1 20:e5:2a:04:85:d2   NETGEAR INC.,
192.168.1.3 bc:c8:10:28:6e:38   Cisco SPVTG
192.168.1.4 e4:e0:a6:3f:45:88   (Unknown)
192.168.1.9 d4:f4:6f:25:0f:c3   (Unknown)
192.168.1.16    c0:ee:fb:ef:a0:90   (Unknown)

5 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9: 256 hosts scanned in 2.271 seconds (112.73 hosts/sec). 5 responded
seth@pixel:~$ nmap -n -sn 192.168.1.0/24 | awk '/is up/ {print up}; {gsub (/\(|\)/,""); up = $NF}'
192.168.1.1
192.168.1.3
192.168.1.13
192.168.1.16
seth@pixel:~$ arp -a
? (192.168.1.73) at <incomplete> on wlp1s0
? (192.168.1.14) at <incomplete> on wlp1s0
? (192.168.1.207) at <incomplete> on wlp1s0
? (192.168.1.140) at <incomplete> on wlp1s0
? (192.168.1.77) at <incomplete> on wlp1s0
? (192.168.1.18) at <incomplete> on wlp1s0
? (192.168.1.211) at <incomplete> on wlp1s0
? (192.168.1.144) at <incomplete> on wlp1s0
? (192.168.1.81) at <incomplete> on wlp1s0
? (192.168.1.22) at <incomplete> on wlp1s0
? (192.168.1.215) at <incomplete> on wlp1s0
? (192.168.1.148) at <incomplete> on wlp1s0
? (192.168.1.5) at e4:e0:a6:3e:af:ad [ether] on wlp1s0
? (192.168.1.9) at d4:f4:6f:25:0f:c3 [ether] on wlp1s0
? (192.168.1.4) at e4:e0:a6:3f:45:88 [ether] on wlp1s0
? (192.168.1.16) at c0:ee:fb:ef:a0:90 [ether] on wlp1s0
? (192.168.1.3) at bc:c8:10:28:6e:38 [ether] on wlp1s0
? (192.168.1.3) at bc:c8:10:28:6e:38 [ether] on wlp1s0

As you can see, arp -a returns the most hosts in the quickest time possible, but is it accurate and reliable? What should I use? Should I just write a simple script that pings all hosts in a given subnet?

Answer 1

For unprivileged Unix shell users, the default probes are a SYN packet to ports 80 and 443 using the connect system call. This host discovery is often sufficient when scanning local networks, but a more comprehensive set of discovery probes is recommended for security auditing.

Nmap host discovery

Therefore, running nmap -sn as an unprivileged user may not return accurate results if hosts do not reply to these probes (e.g. strict firewalls and/or no ICMP response). Running the same scan as root will use ARP instead, producing a similar if not identical result to the arp-scan tool.

Note that arp -a does not scan or even necessarily display all of the hosts on the network. This command simply dumps your ARP table, which contains entries from hosts you've sent ARP requests for, or received gratituitous ARPs from.

Additionally, your idea to ping all hosts may not work if these hosts do not reply due to firewalls (firewalls are commonly set up to block ICMP, regardless of the merit in this practice).

That said, an ARP scan (with nmap, arp-scan, or your own script) is likely the most reliable way to determine the hosts on your local network, since this will not be blocked except in extreme cases.

Answer 2

Build your own scanner with scapy? You could then target this scanner towards phones and linux desktops by scanning for known banners & services of each. This would be a great option if you want to develop further network understanding.

https://scapy.readthedocs.io/en/latest/