Finding All Hosts On the LAN From Linux / Windows Workstation

Posted on in Categories , , last updated March 5, 2008

Q. How do I find out if all host computers on the LAN are alive or dead from a Linux or Windows XP computer? My network subnet range is 192.168.1.0/24 and I’m using dual boot Debian Linux / XP SP2 computer.

A.You can use normal ping command and shell script loop statement to print the list of all LAN computers from a shell prompt.

Linux / UNIX one liner to ping all hosts on the LAN

Type the following command, enter:
$ for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip>/dev/null; [ $? -eq 0 ] && echo "192.168.1.$ip UP" || : ; done
Output:

192.168.1.1 UP
192.168.1.1 UP
192.168.1.2 UP
192.168.1.5 UP
......
...
..
192.168.1.254 UP

See previous article: Simple Linux and UNIX system monitoring with ping command and scripts.

A Note About Windows Workstation

If you are using Windows 2000 / XP / Vista, try something as follows at DOS / NT command prompt (Start > Run > CMD > Enter key):
c:> for /L %I in (1,1,254) DO ping -w 30 -n1 192.168.1.%I | find "Reply"
Read cmd.exe help page and batch scripting documentation for more information.

43 comment

  1. You would probably use
    "for ip in $(perl -e '$,="\n"; print 0 .. 8;') ; do ping -c 1 192.168.1.$ip>/dev/null; [ $? -eq 0 ] && echo "192.168.1.$ip UP" || : ; done"
    on non GNU/Linux system, as seq does not exist on Solaris and OSX.

  2. Ups, this is nicer, and faster.
    for ip in $(perl -e '$,="\n"; print 1 .. 254;') ; do ping -t 1 -c 1 192.168.1.$ip>/dev/null; [ $? -eq 0 ] && echo "192.168.1.$ip UP" || : ; done

    I’ve added a 1 sec. timeout on ping.

  3. I generally just use this “ping -b 192.168.1.255” Which broadcasts a ping to the whole network at once.

  4. What about Windows machines with MS firewall which default forbid ICMP replay ?
    Maybe must use ARP cache after ping

  5. If a host on your local network won’t answer on a ping request you could try arping, which does an arp request.
    arping 192.168.1.1
    ARPING 192.168.1.1 from 192.168.1.226 eth0
    Unicast reply from 192.168.1.1 [00:01:02:xx:xx:xx] 0.668ms

    Another method is simply using nmap:
    nmap -sP 192.168.1.0/24

  6. Something wrong with prev. comment… (< and > char)

    for (( ip=1 ; ip<=254 ; ip++ )); do ping -c 1 -t 1 192.168.1.$ip>/dev/null; [ $? -eq 0 ] && echo "192.168.1.$ip UP" || : ; done

  7. wont this command do ???

    nbtscan 10.0.0.1-125

    this checks all the computers whose ip address are in the range of 10.0.0.1 to 10.0.0.125 and displays only those which are ON and connected to the network !

  8. Even faster (produces a little bit of confusing output in the beginning but it does the job fast):

    for ip in $(perl -e '$,="\n"; print 1 .. 254;') ; do ping -t 1 -c 1 192.168.146.$ip > /dev/null && echo "192.168.146.$ip UP" >> hosts.log || : & sleep 0.02; done; sleep 1;cat hosts.log;rm hosts.log

  9. smbtree -SN |grep \\\\ |cut -f2 |cut -d”\\” -f3

    will give a list of netbios host responding on broadcast address
    (smbtree is part of the samba suite)

  10. Here’s a batchfile i made that pings any range of adresses:

    @echo off & For /L %%i in (%4,1,255) do @ping -n 1 %1.%2.%3.%%i | find “Received = 0” >nul & if errorlevel 1 @echo %1.%2.%3.%%i

    most of the code is to tidy the output up. Save as PINGER.bat

    Type:
    PINGER 192 168 0 0
    **without** the dots to find the range 192.168.0.0 to 192.168.0.255
    or any other address PINGER 145 233 2 0 etc
    cheers

  11. Thanks for ‘nast -m’ tip (3 years later ;) ) – liked it best.

    @ lina – check out casper’s comment regarding non-Linux systems

  12. Using cygwin on Windows, this did not work as expected.
    It produced
    192.168.1.1 UP

    192.168.1.100 UP

    for every IP address.

    Problem is, this network is 192.168.2.1, not 192.168.1.1

    Further investigation:
    ping 192.168.2.1 produced a response from an IP from the ISP.

    Know and Test what you are doing!

  13. Hi, i cant find all hosts by nmap -sP 10.6.0.0/24
    I know that router Mikrotik has got IP address 10.6.0.1, hi can i found with nmap ALL hosts at subnet? Which mode of nmap I have to use for this?
    Could you help me, please? Thanks a lot.

    Lukas

  14. Hi all,

    I tested four proposed solutions on the same lan within the same hour :

    1- for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip>/dev/null; [ $? -eq 0 ] && echo “192.168.1.$ip UP” || : ; done
    *** 26 hosts ***

    2- nmap -sP 192.168.1.0/24
    *** 18 hosts ***

    3- nast -m -i eth0
    *** 32 hosts (31 if I exclude the broadcast address) ***

    4- arp-scan -l -I eth0
    *** 35 hosts (32 if I exclude the lan address, the broadcast address and a duplicate host address of a vmware VM which is not discovered by the other tools) ***

    My prefered tool is arp-scan, for several reasons :

    1- It finds the max of hosts,
    2- It is the faster (flash speed),
    3- It provides additional information about the NIC when possible.

    Thanks for this very interesting topic and the comments.

  15. Hi,

    Could please abybody get me some clue how to identify what is on the following ip addresses got by sudo arp -a command:
    ? (192.168.1.207) at on eth1
    ? (192.168.1.1) at 00:22:3f:ad:c4:be [ether] on eth1
    ? (192.168.1.51) at on eth1
    ? (192.168.1.204) at on eth1
    ? (192.168.1.254) at on eth1
    ? (192.168.1.151) at on eth1
    ? (192.168.1.48) at on eth1
    ? (192.168.1.98) at on eth1
    ? (192.168.1.251) at on eth1
    ? (192.168.1.45) at on eth1
    ? (192.168.1.198) at on eth1
    ? (192.168.1.95) at on eth1
    ? (192.168.1.145) at on eth1
    ? (192.168.1.86) at on eth1
    ? (192.168.1.33) at on eth1
    ? (192.168.1.186) at on eth1
    ? (192.168.1.83) at on eth1
    ? (192.168.1.236) at on eth1
    ? (192.168.1.133) at on eth1
    ? (192.168.1.30) at on eth1
    ? (192.168.1.183) at on eth1
    ? (192.168.1.130) at on eth1
    ? (192.168.1.77) at on eth1
    ? (192.168.1.127) at on eth1
    ? (192.168.1.74) at on eth1
    ? (192.168.1.227) at on eth1
    ? (192.168.1.238) at on eth1
    ? (192.168.1.135) at on eth1
    ? (192.168.1.29) at on eth1
    ? (192.168.1.26) at on eth1
    ? (192.168.1.179) at on eth1
    ? (192.168.1.229) at on eth1
    ? (192.168.1.126) at on eth1
    ? (192.168.1.23) at on eth1
    ? (192.168.1.176) at on eth1
    ? (192.168.1.20) at on eth1
    ? (192.168.1.173) at on eth1
    ? (192.168.1.220) at on eth1
    ? (192.168.1.167) at on eth1

    Thanks in advance,
    M.

  16. @masuch: looks like you have a netgear router attached at 192.168.1.1 (based on the mac address). and no other machines attached.

  17. One second

    #!/bin/bash
    for ip in 192.168.0.{1..254}; do
    ping -c 1 -W 1 $ip | grep “64 bytes” &
    done

    1. 0,5 Second whit first Post ;)

      #!/bin/bash
      
      for ip in $(seq 1 254)
              do ping -c 1 "192.168.0.$ip">/dev/null
                 [ $? -eq 0 ] && echo "192.168.1.$ip UP" || echo "192.168.1.$ip DOWN..."
              done
      
  18. nmap -sn ip/subnet
    like if subnet mask is 255.255.254.0, and your ip is 192.168.1.3
    then: nmap -sn 192.168.1.0/23

    Research subnets.

  19. I think the first example should be updated to make use of Bash’s brace expansion, for which this is a textbook use case… Following is an outline of various network browsing/scanning utilities and their associated time.

    # manual ping scan
    # real	1m48.064s
    netscan(){
        for ip in 192.168.1.{1..254}; do
            if ping -c1 -W1 "$ip" &amp;&gt;/dev/null; then
                echo "$ip"
            fi
        done
    }
     
    # manual ping scan
    # real	0m1.077s
    echo 192.168.1.{1..254} | xargs -n1 -P0 ping -c1 -W1 | grep -oP '(?/dev/null | sort -V
     
    # scan network for NetBIOS name information
    # real	0m4.015s
    nbtscan -q 192.168.1.0/24
    sudo nbtscan -qr 192.168.1.0/24  # use local port 137
     
    # show tree of samba servers in the network
    smbtree -NS 2&gt;/dev/null
     
    # display network mDNS/DNS-SD services
    # (remove -l to include local services)
    avahi-browse -alt
    avahi-browse -alrt  # resolve services
     
    # dump ARP cache
    arp
    arp -a  # no fixed columns
     
    # show ARP and NDISC cache
    ip neigh
  20. One of the examples was cut off… should have been

    # manual ping scan
    # real	0m1.077s
    echo 192.168.1.{1..254} | \
    xargs -n1 -P0 ping -c1 -W1 | \
    grep -oP '(?<=bytes from ).*(?=:)' | \
    sort -V
    

Leave a Comment