Discover hosts/services on a network and build an interactive HTML map — BloodHound-style, but for live network devices instead of AD attack paths.
⚠️ Run only on networks you own or are explicitly authorized to scan. Active scanning generates traffic that IDS/IPS flag and can be illegal against networks you don't control.
Everything is modeled as a graph: nodes = devices, edges = relationships (L2 neighbor, routed hop, same subnet). Independent collectors each observe the network one way and merge their findings into the shared graph:
| Collector | Gives you | Needs |
|---|---|---|
pingsweep |
Hosts + open common ports (fallback) | nothing (stdlib only, no root) |
nmap |
Hosts, ports, service/version, OS | nmap binary + python-nmap |
arp |
L2 hosts + MAC + vendor on local segment | scapy, root |
snmp |
True topology via LLDP neighbor tables | pysnmp, SNMP read access |
traceroute |
L3 routed hops between subnets | scapy, root |
If nmap isn't installed (or you pass --no-nmap), netmapper automatically
falls back to the pure-Python pingsweep collector, so it always produces a
useful host+service map with zero setup.
Works on any clean Linux (Debian/Ubuntu included). All you need present is:
python3(3.8+)pingandip— fromiputils-ping/iproute2, installed by default on virtually every Debian/Ubuntu system.
All Python packages are installed into a local ./.venv — nothing is
installed system-wide. (On a minimal Debian without python3-venv, setup.sh
bootstraps pip itself, so you still don't need to apt install anything.)
./netmapper.sh scanWith no --subnet, it auto-detects this host's real subnets and scans each
one — skipping loopback, link-local, and Docker/bridge/virtual interfaces
(docker0, br-*, veth*, virbr*, k8s CNIs). Pass --include-docker to
include them, or --subnet to target specific CIDRs.
On first run the launcher creates the isolated environment and installs the core
deps automatically, then scans. Output files are written to your current
directory with a SharpHound-style timestamp, e.g.
20260601_075803_netmapper.json and 20260601_075803_netmapper_map.html
(override with --json / --out). Each host is anchored within its own
subnet; if you scan multiple subnets, your machine's interfaces bridge them
(a same_host link).
To pre-install (optional), or to add the richer collectors:
./setup.sh # core only (networkx, pyvis)
./setup.sh --full # also python-nmap, scapy, mac-vendor-lookup, pysnmp# Scan specific subnet(s) (comma-separated) instead of auto-detect
./netmapper.sh scan --subnet 192.168.1.0/24,10.0.0.0/24
# Force the no-root pure-Python sweep with a custom port list
./netmapper.sh scan --subnet 192.168.1.0/24 --no-nmap --ports 22,80,443,3389
# Full topology: nmap + SNMP/LLDP from switches + L3 paths to other VLANs
# (SNMP targets may be "ip" or "ip:port")
sudo ./netmapper.sh scan --subnet 192.168.1.0/24 \
--snmp 192.168.1.1,192.168.1.2 --community public \
--trace 192.168.2.10,192.168.3.10
# Re-render a saved graph without re-scanning (point --in at a saved JSON)
./netmapper.sh render --in 20260601_075803_netmapper.jsonOpen the resulting network_map.html in any browser. It's a single
self-contained file (the vis-network library is inlined, so it works offline —
nothing to carry alongside it). The viewer is a BloodHound-style explorer:
- Click a node to open a details panel with everything known about that host — IP, hostname, MAC + vendor, OS guess, round-trip latency, every open service (with grabbed banners), SNMP/extra attributes, and its links.
- Selecting a node highlights it and its neighbors and dims the rest; clicking a link in the panel jumps to that device.
- Search box (IP or hostname), Fit and Freeze (physics) controls, drag/zoom, and a legend.
- Node color/shape encodes device type (router/switch/scanner/host); edge style encodes link type (solid = L2 neighbor, dashed = routed hop, faint = same subnet).
The SNMP/LLDP collector is verified end-to-end against a simulated SNMP agent (no hardware needed):
.venv/bin/pip install snmpsim pysmi # test-only deps
.venv/bin/python tests/test_snmp_lldp.pyIt stands up a local snmpsim responder serving crafted LLDP-MIB data and
asserts the collector discovers the switch and both neighbors with L2 edges.
MIT © 2026 RedSide Security — contact: info@redsidesecurity.com
netmapper performs active network scanning. Run it only against networks you own or have explicit written authorization to assess. Unauthorized scanning may violate computer-misuse laws and your provider's terms. You are responsible for how you use this tool.