Tuesday, May 20, 2008
9:37 AM

Ping or nmap to identify machines on the LAN

You can use ping or nmap to find out what machines are currently on the local network.

The first method involves pinging the LAN broadcast address.

To find out the broadcast address of the local network:
$ ifconfig eth0
eth0 Link encap:Ethernet HWaddr 01:1B:6B:D8:B1:26
inet addr:192.168.0.103 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::20b:6aff:fed0:bb04/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:70324 errors:0 dropped:0 overruns:0 frame:0
TX packets:69429 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:28758708 (27.4 MiB) TX bytes:9680092 (9.2 MiB)
Interrupt:177 Base address:0xdc00


From the ifconfig output, we determine that the broadcast address is 192.168.0.255. Now, we ping the broadcast address.

$ ping -b -c 3 -i 20 192.168.0.255
WARNING: pinging broadcast address
PING 192.168.0.255 (192.168.0.255) 56(84) bytes of data.
64 bytes from 192.168.0.100: icmp_seq=1 ttl=64 time=0.208 ms
64 bytes from 192.168.0.1: icmp_seq=1 ttl=150 time=0.625 ms (DUP!)
64 bytes from 192.168.0.100: icmp_seq=2 ttl=64 time=0.218 ms
64 bytes from 192.168.0.1: icmp_seq=2 ttl=150 time=0.646 ms (DUP!)
64 bytes from 192.168.0.100: icmp_seq=3 ttl=64 time=0.217 ms

--- 192.168.0.255 ping statistics ---
3 packets transmitted, 3 received, +2 duplicates, 0% packet loss, time 39998ms
rtt min/avg/max/mdev = 0.208/0.382/0.646/0.207 ms


Note that:
-b is required in order to ping a broadcast address.
-c is the count (3) of echo requests (pings) it will send.
-i specifies the interval in seconds between sending each packet. You need to specify an interval long enough to give all the hosts in your LAN enough time to respond.

The ping method does not guarantee that all systems connected to the LAN will be found. This is because some computers may be configured NOT to reply to broadcast queries, or to ping queries altogether.

The second method uses nmap. While nmap is better known for its port scanning capabilities, nmap is also very dependable for host discovery.

You can run nmap as either a non-root user, or root. nmap will only give non-root users the IP address of any host found.
$ nmap -sP 192.168.0.1-254

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2008-05-19 17:02 PDT
Host 192.168.0.1 appears to be up.
Host 192.168.0.100 appears to be up.
Host 192.168.0.103 appears to be up.
Nmap finished: 254 IP addresses (3 hosts up) scanned in 2.507 seconds


If you run nmap as root, you will also get the MAC address:
$ nmap -sP  192.168.0.1-254

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2008-05-19 18:06 PDT
Host 192.168.0.1 appears to be up.
MAC Address: 03:05:6D:2D:87:B3 (The Linksys Group)
Host 192.168.0.100 appears to be up.
MAC Address: 00:07:95:A9:3A:77 (Elitegroup Computer System Co. (ECS))
Host 192.168.0.103 appears to be up.
Nmap finished: 254 IP addresses (3 hosts up) scanned in 5.900 seconds



-sP instructs nmap to only perform a ping scan to determine if the target host is up; no port scanning or operating system detection is performed.
By default, the -sP option causes nmap to send an ICMP echo request and a TCP packet to port 80.

Using either ping or nmap, you can find out what machines are connected to your LAN.

StumbleUpon Toolbar

0 comments:

Post a Comment