Linux – How to Find Unused IP Addresses on Your Network

iplinux-networkingnetworkingrhel6

I've got access to two computers (A and B) on a network. Both have got a static IP address with a subnet mask of 255.255.255.128 (I checked that a DHCP server was not being used). I want to configure multiple IP addresses to the same machine and hence I want to know what all IP addresses are already being used in the subnet.

From an earlier question, I tried nmap -sP -PR 172.16.128.* command, but, I'm skeptical about its result as the same command gives different results on my two computers (A and B). On A, the result shows, a list of 8 IP addresses which are (supposedly) already being used, including that of A and B.

Nmap done: 256 IP addresses (8 hosts up) scanned in 1.23 seconds

But on B, the result is different i.e.,

Nmap done: 256 IP addresses (0 hosts up) scanned in 0.00 seconds

The result on B is not even showing its own IP address as well as the IP address of A!

What exactly am I doing wrong here? Is there any foolproof way in Red Hat Linux (RHEL) of discovering all IP addresses being used in the subnet of which my computer is a part of?

RHEL: 6.5
Nmap version: 5.51

Best Answer

Any well-behaved device on an Ethernet LAN is free to ignore nearly any traffic, so PINGs, port scans, and the like are all unreliable. Devices are not, however, free to ignore ARP requests, afaik. Given that you specify you're scanning a local network, I find the least-fragile method of doing what you want is to try to connect to a remote address, then look in my ARP cache.

Here's a simple, non-filtering device (ie, one which isn't configured to ignore some classes of IP traffic):

[me@risby tmp]$ ping -c 1 -W 1 192.168.3.1
PING 192.168.3.1 (192.168.3.1) 56(84) bytes of data.
64 bytes from 192.168.3.1: icmp_seq=1 ttl=64 time=0.351 ms
[...]
[me@risby tmp]$ arp -a -n|grep -w 192.168.3.1
? (192.168.3.1) at b8:27:eb:05:f5:71 [ether] on p1p1

Here's a filtering device (one configured with a single line of iptables to ignore all traffic):

[me@risby tmp]$ ping -c 1 -W 1 192.168.3.31
[...]
1 packets transmitted, 0 received, 100% packet loss, time 0ms
[me@risby tmp]$ arp -a -n|grep -w 192.168.3.31
? (192.168.3.31) at b8:27:eb:02:e4:46 [ether] on p1p1

Here's a device that's just down; note the lack of a MAC address:

[me@risby tmp]$ ping -c 1 -W 1 192.168.3.241
[...]
1 packets transmitted, 0 received, 100% packet loss, time 0ms
[me@risby tmp]$ arp -a -n|grep -w 192.168.3.241
? (192.168.3.241) at <incomplete> on p1p1

This method's not infallible - it misses devices that are turned off, for one thing - but it's the least-dreadful method I've yet tried.

Edit: Eric Duminil, yes, it only works on a local network; see paragraph one.

Vishal, the methods are functionally identical. Note the text quoted in Leo's answer about nmap:

When a privileged user tries to scan targets on a local ethernet network, ARP requests are used unless --send-ip was specified.

His method involves less typing. Mine can be done without privilege, and may give you a better understanding of what's actually happening. But the same thing is done on the wire in both cases.

Related Topic