CLI: Pinging∕scanning a range of IPs

📄 Wiki page | 🕑 Last updated: Apr 1, 2023

You can use nmap to quickly ping/scan a whole range of IPs.

If you don't have nmap already installed, you can install it with:

# deb-based (Debian, Ubuntu, Mint, Raspbian, Kali, etc.)
apt install nmap

# rpm-based (Fedora, CentOS, etc.)
dnf install nmap

# Arch
pacman -S nmap

# Alpine
apk add nmap

Scanning IPs

This command will scan all addresses in the range from 127.0.0.1 to 127.0.0.5.

nmap -sn 127.0.0.1-5

Example result:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-04-01 13:25 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).
Nmap scan report for 127.0.0.2
Host is up (0.00030s latency).
Nmap scan report for 127.0.0.3
Host is up (0.00022s latency).
Nmap scan report for 127.0.0.4
Host is up (0.00019s latency).
Nmap scan report for 127.0.0.5
Host is up (0.00016s latency).
Nmap done: 5 IP addresses (5 hosts up) scanned in 0.00 seconds

To scan the whole subnet, you can also use this notation:

nmap -sn 127.0.0.0/24

Explanation

-sn option tells nmap to do only the discovery part, skipping the port scanning.

Relevant part of the man page:

       -sn (No port scan)
           This option tells Nmap not to do a port scan after host discovery,
           and only print out the available hosts that responded to the host
           discovery probes. This is often known as a “ping scan”, but you can
           also request that traceroute and NSE host scripts be run. This is
           by default one step more intrusive than the list scan, and can
           often be used for the same purposes. It allows light reconnaissance
           of a target network without attracting much attention. Knowing how
           many hosts are up is more valuable to attackers than the list
           provided by list scan of every single IP and host name.

           Systems administrators often find this option valuable as well. It
           can easily be used to count available machines on a network or
           monitor server availability. This is often called a ping sweep, and
           is more reliable than pinging the broadcast address because many
           hosts do not reply to broadcast queries.

           The default host discovery done with -sn consists of an ICMP echo
           request, TCP SYN to port 443, TCP ACK to port 80, and an ICMP
           timestamp request by default. When executed by an unprivileged
           user, only SYN packets are sent (using a connect call) to ports 80
           and 443 on the target. When a privileged user tries to scan targets
           on a local ethernet network, ARP requests are used unless --send-ip
           was specified. The -sn option can be combined with any of the
           discovery probe types (the -P* options, excluding -Pn) for greater
           flexibility. If any of those probe type and port number options are
           used, the default probes are overridden. When strict firewalls are
           in place between the source host running Nmap and the target
           network, using those advanced techniques is recommended. Otherwise
           hosts could be missed when the firewall drops probes or their
           responses.

           In previous releases of Nmap, -sn was known as -sP.

Note: although this exact use of nmap is relatively harmless, always be careful when you're using nmap (and similar tools) on public IP addresses.


Ask me anything / Suggestions

If you have any suggestions or questions (related to this or any other topic), feel free to contact me. ℹ️


If you find this site useful in any way, please consider supporting it.