How to find ALL host within Network (LAN)

How to find ALL host within Network (LAN)


There are many different to find out the number of hosts (machine) within network specially LAN.

Method(1)– Simplest way to use ping command with -b option… and specify broadcast address. Use ifconfig command to find the broadcast address….

root@arunbagul:/home/arun# ping -b
WARNING: pinging broadcast address
64 bytes from icmp_seq=1 ttl=64 time=0.512 ms
64 bytes from icmp_seq=1 ttl=64 time=0.531 ms

64 bytes from icmp_seq=1 ttl=64 time=0.557 ms

** If the number of Host within network is less (class C network), then you can below script (ping command)…

root@arunbagul:~# cat

for ip in $(seq 1 254);
ping -c 1 192.168.0.${ip} >/dev/null
if [ $? -eq 0 ]; then
echo “192.168.0.$ip is UP”
echo “done”


root@arunbagul:~# sh is UP is UP is UP is UP is UP


Method(2) fping command

fping send ICMP ECHO_REQUEST packets to network host. fping uses the Internet Control Message Protocol (ICMP) echo request to determine if a target host is responding. fping differs from ping in that you can specify any number of targets on the command line, or specify a file containing the lists of targets to ping. Instead of sending to one target until it times out or replies, fping will send out a ping packet and move on to the next target in a round-robin fashion.

In the default mode, if a target replies, it is noted and removed from the list of targets to check; if a target does not respond within a certain
time limit and/or retry limit it is designated as unreachable. fping also supports sending a specified number of pings to a target, or looping indefinitely (as in ping ).


-a Show systems that are alive.

-A Display targets by address rather than DNS name.

-bn Number of bytes of ping data to send.

-c Number of request packets to send to each target.

-d Use DNS to lookup address of return ping packet. This allows you to give fping a list of IP addresses as input and print hostnames in the

-e Show elapsed (round-trip) time of packets.

-g Generate a target list from a supplied IP netmask, or a starting and ending IP

-l Loop sending packets to each target indefinitely.

root@arunbagul:~# fping -g

ICMP Host Unreachable from for ICMP Echo sent to
ICMP Host Unreachable from for ICMP Echo sent to
ICMP Host Unreachable from for ICMP Echo sent to
ICMP Host Unreachable from for ICMP Echo sent to
ICMP Host Unreachable from for ICMP Echo sent to



root@arunbagul:~# fping -g

ICMP Host Unreachable from for ICMP Echo sent to
ICMP Host Unreachable from for ICMP Echo sent to
ICMP Host Unreachable from for ICMP Echo sent to
ICMP Host Unreachable from for ICMP Echo sent to
ICMP Host Unreachable from for ICMP Echo sent to
ICMP Host Unreachable from for ICMP Echo sent to


Method(3) nmap command –

Nmap (“Network Mapper“) is an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what
services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. While Nmap is commonly used for security audits, many systems and network
administrators find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

Options –

-sL (List Scan)
The list scan is a degenerate form of host discovery that simply lists each host of the network(s) specified, without sending any packets
to the target hosts. By default, Nmap still does reverse-DNS resolution on the hosts to learn their names.

-sP (Ping Scan)
This option tells Nmap to only perform a ping scan (host discovery), This is one step more intrusive than the list scan.

-P0 (No ping)
This option skips the Nmap discovery stage altogether. Normally, Nmap uses this stage to determine active machines for heavier scanning. By
default, Nmap only performs heavy probing such as port scans, version detection, or OS detection against hosts that are found to be up.

-PS [portlist] (TCP SYN Ping)
This option sends an empty TCP packet with the SYN flag set. The default destination port is 80. A comma separated list of ports can even be
specified (e.g. -PS22,23,25,80,113,1050,35000), in which case probes will be attempted against each port in parallel.

-PU [portlist] (UDP Ping)
Another host discovery option is the UDP ping, which sends an empty (unless –data-length is specified) UDP packet to the given ports. The
portlist takes the same format as with the previously discussed -PS and -PA options

-n (No DNS resolution)
Tells Nmap to never do reverse DNS resolution on the active IP addresses it finds

-R (DNS resolution for all targets)
Tells Nmap to always do reverse DNS resolution on the target IP addresses. Normally reverse DNS is only performed against responsive (online) hosts.

root@arunbagul:~# nmap -sP

Starting Nmap 4.20 ( ) at 2008-04-06 10:52 IST
Host arunbagul.laptop ( appears to be up.
Host ( appears to be up.
Host tsantosh.desktop ( appears to be up.


Nmap finished: 256 IP addresses (1 host up) scanned in 5.670 seconds

Method(4) NAST (Network Analyzer Sniffer Tool) –

Nast is a packet sniffer and a LAN analyzer based on Libnet and Libpcap. It can sniff in normal mode or in promiscuous mode. It dumps the headers of packets and the payload in ascii or ascii-hex format. You can apply a filter. The sniffed data can be saved in a separated file.


-i, –interface
Select the Interface, if not specified will be auto-detected.

-p, –promisc
Disable promiscuous mode on NIC.

-d, –ascii-data
Print data in ascii format.

-x, –ascii-hex-data
Print data in ascii-hex format.

-f, –filter <“filter”>
Apply <“filter”> to sniffer (see “FILTER SYNTAX” section below for syntax)

–ld <filename>
Log captured data to <filename> (only payload). Use -l to log all packet instead, useful with -B

-m, –host-list
Map the LAN by performing a series of ARP request to sequential subnet IP addresses.

-s, –tcp-stream
Follow a TCP/IP connection printing all data in payload. You must specify the IP addresses of the ends.

-g, –find-gateway
Try to find possible Internet-gateways.

-r, –reset-connection
Destroy an established connection. You must specify the IP addresses of the ends and at least one port.(?)

-S, –port-scanner
Performs a half-open port scanning on the selected host. It tries also to determine some firewall (just iptables) rules.

-M, –multi-port-scanner
Same as above (-S) but done on all hosts of the lan.

root@arunbagul:~# nast
Nast V. 0.2.0
Sniffing on:

– Device: eth0
– MAC address: XX:1X:3X:XX:0X:XX
– IP address: 192.168.XX.XX
– Netmask:
– Promisc mode: Set
– Filter: None
– Logging: None

—[ ARP ]———————————————————–
Type: ARP request: Who has 192.XX.XX.? Tell XX.XX.XX.XX
Hardware size: 6 – Protocol size: 4
Packet Number: 1

—[ UDP ]———————————————————–
192.168.X.X:1985(unknown) -> X.X.X.X:1985(unknown)
Version: 4 Total Lenght: 48 TTL: 1
Packet Number: 2

Packets Received: 4
Packets Dropped by kernel: 0

root@arunbagul:~# nast -m
Nast V. 0.2.0
Mapping the Lan for subnet … please wait

MAC address Ip address (hostname)
XX:XX:XX:XX:XX:XX 192.168.X.X (
XX:XX:XX:XX:XX:XX 192.168.X.X (ravi.desktop)


Method(5) nbtscan command –

nbtscan is a program for scanning networks for NetBIOS name information. It sends NetBIOS status query to each address in supplied range and lists received information in human readable form. For each responded host it lists IP address, NetBIOS computer name, logged-in user name and MAC address.


-v Verbose output. Print all names received from each host.

-d Dump packets. Print whole packet contents. Cannot be used with -v, -s or -h options.

-e Format output in /etc/hosts format.

-t timeout
Wait timeout seconds for response. Default 1.

-m retransmits
Number of retransmits. Default 0.

-f filename
Take IP addresses to scan from file “filename”

What to scan. Can either be single IP or range of addresses in one of two forms: X.X.X.X/24 or X.X.X.X-24

root@arunbagul:~# nbtscan
Doing NBT name scan for addresses from

IP address NetBIOS Name Server User MAC address
192.168.0.X MUCHTHESE-DV <server> <unknown> XX:XX:XX:XX:XX:XX



Thank you,
Arun Bagul

Similar Posts:

Leave a Reply

Your email address will not be published.