Display list of computers on a LAN in Linux

65

22

I'm a web dev who is trying to get a better handle on security. I'm trying to figure out a way (on Linux/Debian based distros) to list all computers on the same LAN my netbook is on. I tried "arp -n" but I don't feel it's a complete list, as my iPhone is on the same wi-fi router as my netbook, and that didn't come up. Is there some better way to get a full list of machines that are all sharing the same gateway?

CaptSaltyJack

Posted 2011-07-15T17:51:44.963

Reputation: 1 515

2

possible duplicate of How can I list all IPs in the connected network, through Terminal preferably?

– Ciro Santilli 新疆改造中心法轮功六四事件 – 2015-09-10T08:29:40.923

Answers

61

Get nmap. It's the program Trinity used in The Matrix and you can do a scan to find all of the devices that are connected to the LAN you're on and more.

Here's the reference guide.

Tyler Faile

Posted 2011-07-15T17:51:44.963

Reputation: 2 706

1I thought this is actually a serious website, lol +1 – user10089632 – 2018-02-13T18:29:49.933

you can install using sudo snap install nmap – danilo – 2020-01-26T23:28:42.320

16OK. Looks like "sudo nmap -sL 123.123.123.*" is what I'm looking for, or maybe -sP instead of -sL. Thanks! – CaptSaltyJack – 2011-07-15T18:22:06.220

2install nmap with sudo apt-get install nmap – saintali – 2013-01-20T18:40:05.900

41

This is what I use, nmap, and an address using CIDR block notation of the network you want to scan. First you need to install nmap as it may not come pre-installed with you distro. On Ubuntu:

sudo apt-get install nmap

Next figure out your network address by using ifconfig:

ifconfig

ifconfig output for the interface I want to scan:

wlan1     Link encap:Ethernet  HWaddr 00:1f:3b:03:d2:bf  
          inet addr:192.168.1.104  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::21f:3bff:fe03:d2bf/64 Scope:Link
          ...

Use the inet addr and Mask to figure out the network address in CIDR notation, more on CIDR here. The address is:

192.168.1.0/24

Run nmap using -sP parameter, which will scan no further than checking if the host is online:

sudo nmap -sP 192.168.1.0/24

nmap output will look something like this:

Starting Nmap 5.21 ( http://nmap.org ) at 2014-12-09 10:52 EST
Nmap scan report for 192.168.1.1
Host is up (0.013s latency).
MAC Address: -MAC ADDRESS- (Cameo Communications)
...
Nmap done: 256 IP addresses (5 hosts up) scanned in 3.26 seconds

That's it, if you need more help with nmap, see the nmap official documentation, or run:

nmap --help 

radtek

Posted 2011-07-15T17:51:44.963

Reputation: 511

2nmap -sA 192.168.1.0/24 nmap option -sA shows similar descriptive results with better readability , which includes device name, IP, mac, etc as with option -sP.. I personally prefer -sA over -sP for the readability sake. – Jayzcode – 2016-02-03T10:13:34.257

@Jayzcode On my machine -sA is never returning, while -sP took only 3.73 seconds (detected the router, my PC and another PC). Any idea why? – Rodrigo – 2019-10-15T13:00:43.407

@Rodrigo the -sA option also scans 1000 ports on the hosts, which may take time. It doubled the execution time for me. If you just want to know the list of connected devices, keep the -sP option. – AymDev – 2019-12-31T14:11:29.673

18

arp -n only shows you machines on your LAN that your machine has already talked to. You can get that list to populate better by pinging the broadcast and all-hosts multicasts addresses:

The "all ones" (in binary) broadcast address. Note that most IP stacks will translate this to the subnet broadcast addresses for all subnets you're attached to:

ping 255.255.255.255

The subnet broadcast address for your current subnet. So assuming you're on 192.168.1.0/24:

ping 192.168.1.255

The "all hosts" multicast address. I like this one a lot because it's more likely to find hosts configured for other IP subnets, that happen to be attached to the same Ethernet LAN as you:

ping 224.0.0.1

Note that this method, and the other methods I've seen mentioned in other Answers so far, only look for IP-reachable hosts on the current network. That's probably all you need to care about, but it's possible for an attacker to snoop on, or do bad things to, a network without being visible via IP.

Spiff

Posted 2011-07-15T17:51:44.963

Reputation: 84 656

8

ip neigh and hosts. NO nmap required / NO sudo requied.

Building on this, you can build a Python script:

#!/usr/bin/env python

"""List all hosts with their IP adress of the current network."""

import os

out = os.popen('ip neigh').read().splitlines()
for i, line in enumerate(out, start=1):
    ip = line.split(' ')[0]
    h = os.popen('host {}'.format(ip)).read()
    hostname = h.split(' ')[-1]
    print("{:>3}: {} ({})".format(i, hostname.strip(), ip))

Download via

wget https://gist.githubusercontent.com/MartinThoma/699ae445b8a08b5afd16f7d6f5e5d0f8/raw/577fc32b57a7f9e66fdc9be60e7e498bbec7951a/neighbors.py

(or simply arp ... I didn't see that before)

Martin Thoma

Posted 2011-07-15T17:51:44.963

Reputation: 2 705

or just ip neigh | awk '{ print $1 }' | xargs -n1 host – blockloop – 2017-09-19T02:10:40.593

ip n for short. Maybe better ip n | grep REACHABLE. – Pablo A – 2018-09-19T05:00:44.163

4

You could try pinging all a given subnet with a small linux shell script for example

$ for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip>/dev/null; [ $? -eq 0 ] && echo "192.168.1.$ip UP" || : ; done

dmn8

Posted 2011-07-15T17:51:44.963

Reputation: 41

In my case said UP for all and then ip n say FAILED to all. – Pablo A – 2018-09-19T05:00:01.197

4

I didn't find the existing answers satisfying enough, so I thought I'd give a try. After all, the FAQ suggests to provide context for links.

nmap is great, if a little confusing to use. Here's something I run to discover local network devices that's mostly copy-paste-able. nmap -sP (or nmap -sn) scans by pinging. There are other options for 'host discovery', like with nmap -sL or nmap -Pn.

Way #1.

ehtesh@x200arch:~$ # my wireless interface is listed as wlp3s0. Yours could be wlan0 or eth1.
ehtesh@x200arch:~$ ip addr show wlp3s0 | grep "inet "
    inet 172.18.72.53/22 brd 172.18.75.255 scope global wlp3s0
ehtesh@x200arch:~$ arp -a
? (172.18.72.1) at c8:4c:75:76:bd:74 [ether] on wlp3s0
ehtesh@x200arch:~$ nmap -sP 172.18.72.0/24
Starting Nmap 6.41SVN ( http://nmap.org ) at 2013-12-17 20:08 EST
Nmap scan report for 172.18.72.2
Host is up (0.017s latency).
<... 15 IP addresses snipped ...>
Nmap scan report for 172.18.72.253
Host is up (0.13s latency).
Nmap done: 256 IP addresses (17 hosts up) scanned in 5.74 seconds
ehtesh@x200arch:~$ arp -a | sort -n -k 1,1                            
? (172.18.72.126) at ec:35:86:4a:37:d2 [ether] on wlp3s0
? (172.18.72.148) at 10:9a:dd:b8:79:71 [ether] on wlp3s0
? (172.18.72.178) at 9c:20:7b:7b:08:ba [ether] on wlp3s0
? (172.18.72.1) at c8:4c:75:76:bd:74 [ether] on wlp3s0
? (172.18.72.253) at b8:78:2e:19:05:0b [ether] on wlp3s0
? (172.18.72.2) at 00:14:1c:da:e1:c2 [ether] on wlp3s0
? (172.18.72.40) at d8:c7:c8:ca:f9:88 [ether] on wlp3s0
? (172.18.72.43) at d8:c7:c8:ce:0f:60 [ether] on wlp3s0
? (172.18.72.44) at d8:c7:c8:ce:0f:68 [ether] on wlp3s0
? (172.18.72.45) at 6c:f3:7f:c6:71:16 [ether] on wlp3s0
? (172.18.72.46) at 6c:f3:7f:c4:4c:b3 [ether] on wlp3s0
? (172.18.72.47) at d8:c7:c8:ca:f9:88 [ether] on wlp3s0
? (172.18.72.48) at 24:de:c6:c6:b6:78 [ether] on wlp3s0
? (172.18.72.49) at 24:de:c6:c6:b6:e6 [ether] on wlp3s0
? (172.18.72.51) at 00:9c:02:d0:4c:4e [ether] on wlp3s0
? (172.18.72.54) at 00:23:76:99:99:bf [ether] on wlp3s0
? (172.18.72.62) at 8c:70:5a:0d:06:18 [ether] on wlp3s0
? (172.18.72.63) at 7c:e9:d3:51:86:55 [ether] on wlp3s0
? (172.18.72.64) at a0:88:b4:47:eb:c8 [ether] on wlp3s0

Way #2. I know this works, but I can't say if this is the right way to go.

ehtesh@x200arch:~$ #ifconfig | grep broadcast
ehtesh@x200arch:~$ ip address show wlp3s0 | grep brd
    link/ether 00:1e:65:bf:1b:42 brd ff:ff:ff:ff:ff:ff
    inet 172.18.72.53/22 brd 172.18.75.255 scope global wlp3s0
ehtesh@x200arch:~$ ping -b -c 3 -i 20 172.18.75.255
<... similar output to above ...>

I'd be happy to know if there are more effective ways. Until then, I'm sticking to this.

Ehtesh Choudhury

Posted 2011-07-15T17:51:44.963

Reputation: 1 330

3

To scan the status of a range of IP addresses, this is nice and simple:

sudo nmap -sn 192.168.1.2-20

Where:

         -sn: Ping Scan - disable port scan

Note:

  • In previous releases of Nmap, -sn was known as -sP

I did this on Mac OS X (which is based on BSD). I am not sure if the Linux version has any differences.

Sridhar Sarnobat

Posted 2011-07-15T17:51:44.963

Reputation: 870

1Brilliant, all I had to to was type: sudo nmap -sP 192.168.178.0-255. This did a scan in the subnet I am in. – Leo Gerber – 2017-10-27T20:07:35.580

3

1. Alternative solution if broadcasts and nmap are not available:

seq 254 | xargs -iIP -P255 ping -c1 192.168.2.IP |grep time=
arp -a

2a. or just ask your domain name server:

seq 254| awk '{print "192.168.2."$1}' |nslookup | grep name

2b. without awk

echo -e 192.168.2.{1..10}"\n" |nslookup |grep name
  1. pings all pingable Network-Devices in the 192.168.2.0/24 subnet in parallel (to reduce run time). Afterwards arp should display every device, which answered.

  2. doesn't check for active or current connections, but lists all connections the local domain service keeps an entry, even really old ones.

More detailed Explanation:

  • seq 254 to create all numbers from 1 to 254 (for all numbers from 100 to 150: seq 100 150)
  • xargs calls ping and replaces "IP" (-iIP) with the sequence number from stdin, so 192.168.2.IP changes to 192.168.2.1 for the first seq number, -P specifies the number of concurrent ping processes xargs should start, i choose the same amount +1 as addresses (=254) im interested.
  • ping with the ip-address modified by xargs (192.168.2.IP) and only ping once(-c1); you must use the same identifier as specified for xargs over the -i argument in this case IP
  • grep time= to remove every line containing superfluous information, we are only interested in answers, which provide a round-trip time (=got a response)
  • arp -a to display valid name(ip) pairs

I call this my pingall command and made it available over an alias in ~/.bashrc:

alias pingall='seq 254 | xargs -iIP -P255 ping -c1 192.168.2.IP |grep time='

Don Question

Posted 2011-07-15T17:51:44.963

Reputation: 173

3

You could use fping sudo apt-get install fping (in debian-like OSs).

fping is similar to ping, but much better performing when pinging multiple hosts. The -r 1 flag tells fping to perform only one round. The 2>1 part allows grep to filter the output.

$ fping -g -r 1 192.168.1.0/24 2>1 | grep "alive"

Would display something like:

192.168.1.1 is alive
192.168.1.10 is alive
192.168.1.15 is alive
192.168.1.27 is alive

There is also an interesting flag for nmap that would let you see the MAC vendor - if known. Use with sudo in order to see the MAC addresses.

$ sudo nmap -sP 192.168.1.0/24

You would get for instance:

Starting Nmap 7.40 ( https://nmap.org ) at 2019-05-23 18:49 CEST
Nmap scan report for 192.168.1.14
Host is up (-0.036s latency).
MAC Address: 20:F4:1B:E5:8F:7B (Shenzhen Bilian electronic)
Nmap scan report for 192.168.1.15
Host is up (-0.084s latency).
MAC Address: A4:31:35:E8:58:9E (Apple)
Nmap scan report for 192.168.1.27
Host is up (-0.15s latency).
MAC Address: 34:8A:7B:38:E3:14 (Samsung Electronics)
Nmap scan report for 192.168.1.29
Host is up (0.010s latency).
MAC Address: 80:2B:F9:75:F8:FF (Unknown)
Nmap scan report for 192.168.1.10
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 25.52 seconds

user9869932

Posted 2011-07-15T17:51:44.963

Reputation: 131

3

Hunt is a command line tool that is capable of building a list of machines as they broadcast over the network for information. It uses TCP, UDP, ICMP and ARP data to build a list of active MAC addresses on a network. It is a passive tool that works by listening on the wire.

Sean C.

Posted 2011-07-15T17:51:44.963

Reputation: 554

5I know that there are man pages, but it would be useful to see an example in the answer. – Ehtesh Choudhury – 2013-12-18T02:06:39.473

2

For a more compact list of connected devices:

nmap -sL 192.168.0.* | grep \(1

Explanation.

nmap -sL 192.168.0.* will list all IPs in subnetwork and mark those, that have name:

Nmap scan report for 192.168.0.0
Nmap scan report for Dlink-Router.Dlink (192.168.0.1)
Nmap scan report for 192.168.0.2
...
Nmap scan report for android-473e80f183648322.Dlink (192.168.0.53)
...
Nmap scan report for 192.168.0.255

As all interesting records start with parenthesis ( and digit 1, we filter for that with | grep \(1 (backslash is needed to escape parenthesis)

Quirk
Beware that if two devices have the same name, nmap will show only the one, that was connected to router last

Alexander Malakhov

Posted 2011-07-15T17:51:44.963

Reputation: 131