Help with "host discovery"

[jradxl]

I'd like to recreate the nmap command line of:
nmap -sn 10.0.0.0/8

The best I've come up with using naabu is:-

nmap -sL -n 10.0.0.0/24 | awk '/Nmap scan report/{print $NF}' > ./naabu.list 
naabu -sn -list ./naabu.list 2> /dev/null | sort -t . -n -k 4

Which gives the right answer for my Nebula Private VPN Network, of:-

10.0.0.2
10.0.0.4
10.0.0.9
10.0.0.13
10.0.0.14
10.0.0.15
10.0.0.16
10.0.0.17
10.0.0.18
10.0.0.19
10.0.0.20
10.0.0.21

Can someone post a more succinct command line

[jradxl]

I've improved my command line, for the small range of my Nebula network

sudo naabu -silent -sn -ping -host "10.0.0.0/24" | sort -t . -n -k 4

[bad-antics]

Your self-answer is already pretty good, but here's a cleaner approach and some additional context on naabu vs nmap for host discovery:

Most Concise Command

sudo naabu -host 10.0.0.0/24 -sn -ping -silent | sort -t . -n -k 4

This is essentially what you arrived at. For a /8 network (your original goal), naabu handles CIDR expansion natively so you don't need the nmap + awk pre-processing:

sudo naabu -host 10.0.0.0/8 -sn -ping -silent -rate 1000

Add -rate for large ranges to control scan speed and avoid overwhelming your Nebula mesh.

Why sudo Is Required

naabu uses raw sockets for ICMP probes (-ping/-pe), which require CAP_NET_RAW. Either run with sudo or set the capability:

sudo setcap cap_net_raw+ep $(which naabu)
# Then run without sudo:
naabu -host 10.0.0.0/24 -sn -ping -silent

Alternative: ARP Discovery (Faster for Local Subnets)

If you're on the same L2 segment:

sudo naabu -host 10.0.0.0/24 -sn -arp -silent

ARP discovery is faster and more reliable than ICMP on local networks since hosts can't block ARP responses.

For Your Nebula Network Specifically

Since Nebula is a mesh VPN using WireGuard-like tunneling, ICMP might get filtered depending on your Nebula firewall rules. If -ping misses hosts, try a TCP probe on a common port:

sudo naabu -host 10.0.0.0/24 -sn -ep 22,443 -silent

This sends TCP SYN probes to ports 22 and 443 for host discovery, which can punch through ICMP-filtered Nebula configs.

[bad-antics]

Your self-answer is already solid. Here are some refinements:

Most Concise Command

sudo naabu -host 10.0.0.0/24 -sn -ping -silent | sort -t . -n -k 4

For a /8 range, naabu handles CIDR expansion natively -- no need for the nmap + awk pre-processing:

sudo naabu -host 10.0.0.0/8 -sn -ping -silent -rate 1000

Add -rate for large ranges to control scan speed.

Why sudo Is Required

naabu uses raw sockets for ICMP probes, which require CAP_NET_RAW. You can avoid sudo by setting the capability:

sudo setcap cap_net_raw+ep $(which naabu)
naabu -host 10.0.0.0/24 -sn -ping -silent

ARP Discovery (Faster for Local Subnets)

sudo naabu -host 10.0.0.0/24 -sn -arp -silent

ARP is faster and more reliable on local networks since hosts cannot block ARP responses.

For Nebula VPN Specifically

Since Nebula uses tunneled WireGuard-like networking, ICMP may get filtered. Try TCP probes:

sudo naabu -host 10.0.0.0/24 -sn -ep 22,443 -silent

This sends SYN probes to common ports for discovery, which works through ICMP-filtered Nebula configs.