Initial Disclosure
I am not a network engineer and my expertise in this area is low.
Background
while using nmap 7.70 with
nmap -sL
to look for the IP address of a known device on our local network [behind VPN and firewall], I noticed two entries that I didn't recognize.
My boss advised me to identify and report their MAC addresses so that he could monitor and ban them if deemed prudent.
I used option -sn
[no port scan] to get more information including MAC addresses. However, when I ran this scan, the two unrecognized hosts did not appear.
I looked at the arp cache, and also used arp-scan; both the unknown entries appeared with MAC addresses described as [as shown below]
? (10.0.0.xxx) at <incomplete> on wlp0xxx
[...]
? (10.0.0.yyy) at <incomplete> on wlp0xxx
My understanding of the incomplete-MAC-address entry [based on reading a goodly number of similar-ish entries on this family of sites] is that it means the host in question did not respond to a transmitted arp packet. Also, I'm aware that arp pertains to cached information and does not necessarily reflect current network activity. [also : I have read man nmap, but I'm pretty sure I'm failing to understand some key information about the options]
That is clear enough to me; but what I am unclear on is whether I need to worry about these unrecognized, unresponsive hosts from a security standpoint.
Question [Parts]
So, my question has two main components:
Why do some hosts [in this case, unrecognized hosts with incomplete MAC addresses] show up with
nmap -sL
and notnmap -sn
;Do these hosts represent potential attacks or attackers, and if so, how can they be banned without knowledge of their MAC addresses?
the network in question is mainly wireless; all wired Ethernet-connected devices are accounted for
Similar Questions
for reference : I've looked at the following entries plus more, but not been able to discern a complete answer to my questions: