Finding IP addressed in a range

C

CefiroZ

Limp Gawd
Joined
Jan 17, 2004
Messages
218
I have a block of IP addresses that an internal network uses and I need to find which IPs are being used and which aren't. One problem I've thought of is that there are quite a few devices that are a printer, phone, or other device that may not respond to a ping command or something like that. Does anyone know of a simple way to find which IPs are being used and which aren't?
 
tcp devices should respond to a ping if they are following standard behavior ( unless they've been told to silently drop the packets, but you'd know if you had done that ).

nmap is a fun tool for finding devices on your network. Lacking that, I would look for tools that listened to ARP traffic, although this will require your devices all being on a hub.

Honestly though, I would expect your devices to respond to pings, so nmap should be all you need.
 
Check the router's arp table. If the devices have been talking on the network, the router in their subnet will have them listed in the arp table. A device which hasn't used the network in a while will have fallen out of that list, but its a start.

'show ip arp' on a Cisco router.
 
You would do better to do the "show ip arp" on the switches. You will only see information on ARP in the router if the devices have needed to communicate with other subnets. If the devices never send information out to other subnets then the router will not see them.
 
BollWeevil said:
Arping has worked for me in the past. A manufacturer can selectively choose whether or not a device responds to ICMP requests, but a device must respond to arp requests or else communication with it wouldn't be possible over TCP/IP.

http://www.netadmintools.com/html/arping.man.html
Click to expand...

Do you--or anyone else for that matter--know of a tool that can automate this over a range of IP addresses?

XOR: I tried nmap and it seems to be a useful tool, much like netcat, but the -sP scan always responded that an IP was up and running. I'm wondering if it wasn't going through the firewall properly (although they are internal IP's so it shouldn't be doing anything to those).

Thanks for all the reponses everyone!
 
Well, a quick way to do it is to wrap a perl script around arping.

Code: 
#!/usr/bin/perl

use strict;
use warnings;

# config
my $interface = "eth0";
my $subnet    = "192.168.1";
my $starthost = 1;
my $stophost  = 254;
my $arping    = "/sbin/arping";
# end config

my $cmd;
my $ipaddr;
my @response;
my $line;
my $found;

my %result;

my $host = $starthost;

while ( $host <= $stophost )
{
   $ipaddr = "$subnet\.$host";
   $cmd = "$arping -I $interface -c 1 $ipaddr";

   @response = `$cmd`;

   $found = 0;
   foreach $line ( @response )
   {
     # Unicast reply from 192.168.1.1 [00:E1:A7:66:41:EB]  4.530ms
     if ( $line =~ m/^Unicast reply from \d+\.\d+\.\d+\.\d+ \[([A-F0-9:]+)\]/ )
     {
       $result{$ipaddr} = $1;
       $found = 1;
     }
   }
   if ( $found != 1 )
   {
     $result{$ipaddr} = "none";
   }

   print "$ipaddr\t" . $result{$ipaddr} . "\n";
   $host++;
}
 
You must log in or register to reply here.
Back
Top