25

I just want to find out unused IP Address on a network. I think it is possible with nmap. Can any one say me the way pls?

Note:

I just need the free IP list alone.

Braiam
  • 66,947
  • 30
  • 177
  • 264
karthick87
  • 80,647
  • 59
  • 193
  • 232

6 Answers6

26

A fast scanner is arp-scan which uses ARP to "see" other machines on a network. It also returns the MAC address and tries to determine the manufacturer of the network adapter.

Example usage (replace wlan0 by eth0 if needed):

$ sudo arp-scan -I wlan0 192.168.1.0/24
Interface: wlan0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.6 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.1.10    00:90:f5:33:e2:f2       CLEVO CO.
192.168.1.254   00:14:7f:72:cd:05       Thomson Telecom Belgium

2 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.6: 256 hosts scanned in 1.406 seconds (182.08 hosts/sec).  2 responded

Note that this utility only reports machines which are powered on. ping can be blocked, but arp-scan cannot be blocked since it's necessary for a machine to interact with other machines on a network. To be sure that an IP is unused, you'd better look at your router (for static/dynamic addresses) and DHCP server (for dynamic addresses).

Lekensteyn
  • 171,743
  • 65
  • 311
  • 401
  • I wanted to like this but it missed a couple hosts when I tested it?!? :( – bumbling fool Oct 06 '11 at 19:50
  • @bumblingfool: are you sure that the other hosts are on the same subnet? E.g. 192.168.1.x and not 192.168.2.x? – Lekensteyn Oct 06 '11 at 19:52
  • Yes, all hosts are on the same subnet. I ran it a dozen more times and 2/3rds of the time all hosts showed up. Interestingly(?), it is always the same hosts that don't show up(if any)... This is on a wifi network but the signal is solid. Also, the above mentioned nmap method consistently doesn't miss any hosts. – bumbling fool Oct 07 '11 at 08:51
  • How many hosts are we talking about? Try increasing the delay between sending the packets using the `-i` parameter, e.g. `-i 5` for 5 ms. – Lekensteyn Oct 07 '11 at 09:36
  • 2/5. Increasing the delay did the trick. Thanks! – bumbling fool Oct 07 '11 at 11:04
15

sudo nmap -sP -PR 192.168.0.* (or whatever your network is) will do the trick.

To install it use sudo apt-get install nmap.

Source: serverfault.com.

Just tested this, works like a charm including obscured hosts, you need to add sudo to be able to use the -PR option.

Community
  • 1
Bruno Pereira
  • 72,895
  • 33
  • 199
  • 223
4

I find fping useful; among other things, it will ping a range of addresses and list which are 'alive' and which are 'unreachable'. fping is not installed by default.

sudo apt-get install fping

The simple approach is to just run it over a range of addresses.

fping -g 192.168.0.2 192.168.0.254 2>/dev/null

A bit more elaborately, to produce a list of unused IPs.

fping -g 192.168.0.2 192.168.0.254 2>/dev/null | grep 'is unreachable' | cut -d ' ' -f 1 | sort -t '.' -k 4 -n
muru
  • 193,181
  • 53
  • 473
  • 722
bgvaughan
  • 739
  • 4
  • 12
  • 1
    Don't forget that this assumes the hosts respond to an ICMP Echo request (a.k.a. pings). Not every host does that, especially some MS Windows machines don't. Also firewalls usually disable this, even though they are online and have a MAC address in your network. This is a fast solution, but shouldn't be relied on in every situation. – eaydin Jul 22 '17 at 09:08
  • You're right; a solution involving nmap, or some alternative to ping that can use protocols other than ICMP, would be more reliable. – bgvaughan Jul 24 '17 at 17:02
3

I believe it is not the best solution but it does what you want. This script runs ping over 192.168.0.0/24 network and returns list of inactive IPs if there are not in ARP cache.

Advantages over previous solutions:

  • uses both methods: ping and ARP check
  • no need to run as root user
  • runs about 1.5min on my Core i3-2100

To scan your network run it with <first IP> <last IP> parameters.

#!/usr/bin/env python
from threading import Thread
import subprocess
from Queue import Queue

verbose = False

num_threads = 8
queue = Queue()
inactive_ips = [0 for i in range(256)]

lines = open("/proc/net/arp", "r").readlines()
arp_cache = [l.split()[0] for l in lines[1:] if l.split()[2] == "0x2"]

def ip_str_to_int(ip):
    ip = ip.rstrip().split('.')
    ipn = 0
    while ip:
        ipn = (ipn << 8) + int(ip.pop(0))
    return ipn

def ip_int_to_str(ip):
    ips = ''
    for i in range(4):
        ip, n = divmod(ip, 256)
        ips = str(n) + '.' + ips
    return ips[:-1] ## take out extra point


#wraps system ping command
def pinger(i, q):
    while True:
        ip_num = q.get()
        ip = ip_int_to_str(ip_num)
        if ip not in arp_cache:
            ret = subprocess.call("ping -c 1 %s" % ip,
                  shell=True,
                  stdout=open('/dev/null', 'w'),
                  stderr=subprocess.STDOUT)
            if ret != 0:
                  inactive_ips[ip_num % 256] = ip
        q.task_done()


if __name__ == '__main__':
    from optparse import OptionParser
    usage = "usage: %prog [options] [first IP] [last IP]"
    parser = OptionParser(usage=usage)
    parser.add_option("-v", "--verbose", action="store_true", dest="verbose", help="make lots of noise")
    parser.add_option("-q", action="store_false", dest="verbose", help="print only IP adresses")
    (options, args) = parser.parse_args()
    verbose = options.verbose

    first = ip_str_to_int(args[0] if len(args) > 0 else "192.168.0.1")
    last = ip_str_to_int(args[1] if len(args) > 1 else "192.168.0.254")

    if verbose:
        print "Scanning inactive network addresses from %s to %s" % (
            ip_int_to_str(first),
            ip_int_to_str(last))

    for i in range(num_threads):
        worker = Thread(target=pinger, args=(i, queue))
        worker.setDaemon(True)
        worker.start()

    for ip in range(first, last + 1):
        queue.put(ip)

    queue.join()
    for ip in inactive_ips:
        if ip:
            print ip

Update after downvote

I wrote it because nmap -PR 192.168.0.* did not work for me:

Starting Nmap 5.21 ( http://nmap.org ) at 2011-10-06 15:34 EEST
Nmap done: 256 IP addresses (0 hosts up) scanned in 0.03 seconds

Update 2

Fixed all the issues with ARP-cache.

muru
  • 193,181
  • 53
  • 473
  • 722
Sergey
  • 1,171
  • 10
  • 16
  • 2
    What if a machine doesn't respond to ping? Does it mean the IP is not in use? – Bruno Pereira Oct 06 '11 at 12:30
  • @brunopereira81 I don't know any way to distinguish free IP from powered off host. – Sergey Oct 06 '11 at 12:34
  • Not powered off, a computer's firewall can be configured to not respond to normal pings. That way you get no reply but that doesn't mean that the computer is off or that it doesn't have running services, its just ignoring normal pings. (I do not know the scenario relative to the question but) Imagine he pings a firewall/gateway that ignores his ping because its configured not to respond, he assumes that the IP is free so he uses it, behind that firewall/gateway can be X number of computers that just went down due to IP conflict! – Bruno Pereira Oct 06 '11 at 12:40
  • @brunopereira81 I know it is not ideal. That is why I call it "quick and dirty" :) – Sergey Oct 06 '11 at 12:45
  • Good answer, I don't understand how downvoting such answer helps. – nikhil Oct 06 '11 at 15:16
  • Did you do it using your network addresses? No host up? How can that be? Btw, I did not downvote any answers here, I still accept his even tought its not the safest thing in the world. – Bruno Pereira Oct 06 '11 at 15:52
  • @brunopereira81 Yes. I ran it in my computer as regular user. As Lekensteyn says I had to run it as root user. – Sergey Oct 06 '11 at 18:49
  • Its already fixed with the information he got and tested the solution, works fine ;) – Bruno Pereira Oct 06 '11 at 19:01
  • Thats one big ass script! Good work. – Bruno Pereira Oct 06 '11 at 19:02
  • I have same issue with nmap. sudo nmap -sP -PR 10.120.8.* Starting Nmap 7.01 ( https://nmap.org ) at 2016-08-08 14:50 EDT Nmap done: 256 IP addresses (0 hosts up) scanned in 0.01 seconds – chandank Aug 08 '16 at 18:52
1

This should do it right in bash:

#!/bin/bash

#setting language variables for subshell making sure we grep for the right word
LC_ALL=C
LANG=C

# retrieve IP from user input
read -p "Input your network (example: 192.168.0): " my_net

for i in $(seq 1 254);
do 
  ip="$my_net.$i"
  check="$(ping -c1 "$ip")"
  if [ "$(grep "Unreachable" <<<"$check")" != "" ]
  then
    echo "$ip is unreachable"
  fi
done
Videonauth
  • 33,045
  • 16
  • 104
  • 120
0

i think it is simpler 

# my_net define my Net_ID
my_net=192.168.1.
for i in `seq 1 254`;
do 
  ip="$my_net$i"
  ping -c2  $ip | grep "is unreachable" | cut -d" " -f1 &
done
Videonauth
  • 33,045
  • 16
  • 104
  • 120
user3607303
  • 3
  • 4
  • You may want to have a look at your code. In my subnet it shows me all IPs even those which are taken. – Videonauth May 24 '16 at 12:40
  • no , i test it and works fine for me , in fact you can't set those ip addresses are alive becuase i add grep `"is unreachable" ` or if you live change it to `grep -v time` maybe work fine for you – user3607303 May 24 '16 at 13:49