November 19

Linux: Ping scanning without nmap

  1. Usefull for when you don’t have nmap and need to find a missing host. Pings all addresses from 10.1.1.1 to 10.1.1.254, modify for your subnet. Timeout set to 1 sec for speed, if running over a slow connection you should raise that to avoid missing replies. This will clean up the junk, leaving just the IP address:

for i in {1..254}; do ping -c 1 -W 1 10.1.1.$i | grep ‘from’ | cut -d’ ‘ -f 4 | tr -d ‘:’; done Show Sample Output

  1. Waits for all pings to complete and returns ip with mac address

(prefix=”10.59.21″ && for i in seq 254; do (sleep 0.5 && ping -c1 -w1 $prefix.$i &> /dev/null && arp -n | awk ‘ /’$prefix’.’$i’ / { print $1 ” ” $3 } ‘) & done; wait)

  1. This version combines the best of the other suggestions and adds these features: 1. It scans a /16 subnet 2. It is very fast by running the ping commands in the background, running them in parallel. 3. Does not use the “-W” option as that’s not available in older ping versions (I needed this for OS X 10.5)

prefix=”169.254″ && for i in {0..254}; do echo $prefix.$i/8; for j in {1..254}; do sh -c “ping -m 1 -c 1 -t 1 $prefix.$i.$j | grep \”icmp\” &” ; done; done

  1. Not really an easier solution. But an example using && for (if last command returned 0). You can use || for (if last command returned other than 0).

prefix=”10.0.0″ && for i in seq 25; do ping -c 1 $prefix.$i &> /dev/null && echo “Answer from: $prefix.$i” ; done


Copyright 2021. All rights reserved.

Posted November 19, 2021 by Timothy Conrad in category "Linux

About the Author

If I were to describe myself with one word it would be, creative. I am interested in almost everything which keeps me rather busy. Here you will find some of my technical musings. PGP: 4CB8 91EB 0C0A A530 3BE9 6D76 B076 96F1 6135 0A1B