CLI: Pinging∕scanning a range of IPs📄 OneThingWell.dev wiki page | 🕑 Last updated: Apr 1, 2023
You can use
nmap to quickly ping/scan a whole range of IPs.
If you don't have nmap already installed, you can install it with:
# deb-based (Debian, Ubuntu, Mint, Raspbian, Kali, etc.)
apt install nmap
# rpm-based (Fedora, CentOS, etc.)
dnf install nmap
pacman -S nmap
apk add nmap
This command will scan all addresses in the range from
nmap -sn 127.0.0.1-5
Starting Nmap 7.80 ( https://nmap.org ) at 2023-04-01 13:25 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).
Nmap scan report for 127.0.0.2
Host is up (0.00030s latency).
Nmap scan report for 127.0.0.3
Host is up (0.00022s latency).
Nmap scan report for 127.0.0.4
Host is up (0.00019s latency).
Nmap scan report for 127.0.0.5
Host is up (0.00016s latency).
Nmap done: 5 IP addresses (5 hosts up) scanned in 0.00 seconds
To scan the whole subnet, you can also use this notation:
nmap -sn 127.0.0.0/24
-sn option tells
nmap to do only the discovery part, skipping the port scanning.
Relevant part of the man page:
-sn (No port scan)
This option tells Nmap not to do a port scan after host discovery,
and only print out the available hosts that responded to the host
discovery probes. This is often known as a “ping scan”, but you can
also request that traceroute and NSE host scripts be run. This is
by default one step more intrusive than the list scan, and can
often be used for the same purposes. It allows light reconnaissance
of a target network without attracting much attention. Knowing how
many hosts are up is more valuable to attackers than the list
provided by list scan of every single IP and host name.
Systems administrators often find this option valuable as well. It
can easily be used to count available machines on a network or
monitor server availability. This is often called a ping sweep, and
is more reliable than pinging the broadcast address because many
hosts do not reply to broadcast queries.
The default host discovery done with -sn consists of an ICMP echo
request, TCP SYN to port 443, TCP ACK to port 80, and an ICMP
timestamp request by default. When executed by an unprivileged
user, only SYN packets are sent (using a connect call) to ports 80
and 443 on the target. When a privileged user tries to scan targets
on a local ethernet network, ARP requests are used unless --send-ip
was specified. The -sn option can be combined with any of the
discovery probe types (the -P* options, excluding -Pn) for greater
flexibility. If any of those probe type and port number options are
used, the default probes are overridden. When strict firewalls are
in place between the source host running Nmap and the target
network, using those advanced techniques is recommended. Otherwise
hosts could be missed when the firewall drops probes or their
In previous releases of Nmap, -sn was known as -sP.
Note: although this exact use of nmap is relatively harmless, always be careful when you're using nmap (and similar tools) on public IP addresses.
Comments and suggestions
If you find this site useful in any way, please consider supporting it.