Monday, May 19, 2008

Ping or nmap to identify machines on the LAN

You can use ping or nmap to find out what machines are currently on the local network.

The first method involves pinging the LAN broadcast address.

To find out the broadcast address of the local network:
$ ifconfig eth0
eth0 Link encap:Ethernet HWaddr 01:1B:6B:D8:B1:26
inet addr:192.168.0.103 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::20b:6aff:fed0:bb04/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:70324 errors:0 dropped:0 overruns:0 frame:0
TX packets:69429 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:28758708 (27.4 MiB) TX bytes:9680092 (9.2 MiB)
Interrupt:177 Base address:0xdc00


From the ifconfig output, we determine that the broadcast address is 192.168.0.255. Now, we ping the broadcast address.

$ ping -b -c 3 -i 20 192.168.0.255
WARNING: pinging broadcast address
PING 192.168.0.255 (192.168.0.255) 56(84) bytes of data.
64 bytes from 192.168.0.100: icmp_seq=1 ttl=64 time=0.208 ms
64 bytes from 192.168.0.1: icmp_seq=1 ttl=150 time=0.625 ms (DUP!)
64 bytes from 192.168.0.100: icmp_seq=2 ttl=64 time=0.218 ms
64 bytes from 192.168.0.1: icmp_seq=2 ttl=150 time=0.646 ms (DUP!)
64 bytes from 192.168.0.100: icmp_seq=3 ttl=64 time=0.217 ms

--- 192.168.0.255 ping statistics ---
3 packets transmitted, 3 received, +2 duplicates, 0% packet loss, time 39998ms
rtt min/avg/max/mdev = 0.208/0.382/0.646/0.207 ms


Note that:
-b is required in order to ping a broadcast address.
-c is the count (3) of echo requests (pings) it will send.
-i specifies the interval in seconds between sending each packet. You need to specify an interval long enough to give all the hosts in your LAN enough time to respond.

The ping method does not guarantee that all systems connected to the LAN will be found. This is because some computers may be configured NOT to reply to broadcast queries, or to ping queries altogether.

The second method uses nmap. While nmap is better known for its port scanning capabilities, nmap is also very dependable for host discovery.

You can run nmap as either a non-root user, or root. nmap will only give non-root users the IP address of any host found.
$ nmap -sP 192.168.0.1-254

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2008-05-19 17:02 PDT
Host 192.168.0.1 appears to be up.
Host 192.168.0.100 appears to be up.
Host 192.168.0.103 appears to be up.
Nmap finished: 254 IP addresses (3 hosts up) scanned in 2.507 seconds


If you run nmap as root, you will also get the MAC address:
$ nmap -sP  192.168.0.1-254

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2008-05-19 18:06 PDT
Host 192.168.0.1 appears to be up.
MAC Address: 03:05:6D:2D:87:B3 (The Linksys Group)
Host 192.168.0.100 appears to be up.
MAC Address: 00:07:95:A9:3A:77 (Elitegroup Computer System Co. (ECS))
Host 192.168.0.103 appears to be up.
Nmap finished: 254 IP addresses (3 hosts up) scanned in 5.900 seconds



-sP instructs nmap to only perform a ping scan to determine if the target host is up; no port scanning or operating system detection is performed.
By default, the -sP option causes nmap to send an ICMP echo request and a TCP packet to port 80.

Using either ping or nmap, you can find out what machines are connected to your LAN.

7 comments:

Unknown said...

This is an excellent tutorial of a very useful command for seeing what devices are on a network, just the task I was trying to do. It's well written and I like how you explained what the individual flags do. Thanks!

Anonymous said...

Thank you for this great explanation! nmap worked like a champ!

Anonymous said...

Very interesting. I had no idea about that use of nmap.

However, I tried both in my local network and nmap only located those machines with a web server (router, AP, server...) while pinging to a broadcast got no results. It is annoying due to the machines replied normal ping, but not broadcast.

So I finally made a script:

for i in $( seq 1 254 ); do ping -c 1 192.168.1.$i | grep "bytes from" ; done

Of course, replace the network address with yours.

Unknown said...

Great summary. Thank you.

MAT said...

I greatly appreciate your blog, it's very helpful! Nice and tidy examples and none of the I-am-so-smarty-pants-about-the-linux-command-line, which tells me that you actually are ;-). Thanks man.

Mish said...

Finally! I've been looking for someone to explain simply how to use nmap for this simple task. I've spent hours trying to decode the nmap man pages with no results. Thank you for this.

Anonymous said...

Nice post, but my output is different, when I'm scaning my home network.
Ping returned:

WARNING: pinging broadcast address
PING 192.168.1.255 (192.168.1.255) 56(84) bytes of data.
--- 192.168.1.255 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 40008ms


Than nmap outputs like all hosts are up:

Starting Nmap 5.21 ( http://nmap.org ) at 2011-11-26 15:20 CET
Nmap scan report for 192.168.0.1
Host is up (0.017s latency).
Nmap scan report for 192.168.0.2
Host is up (0.0037s latency).
... and so on...
Nmap done: 254 IP addresses (181 hosts up) scanned in 80.29 seconds


I hope there's not something wrong...