Welcome, this is an Innovations Tech Tip. In this tip we’re going to explore a couple of ways to find open IP (Internet Protocol) addresses on your network. You might need this information if you were going to temporarily set a static IP address for a host. Even after you’ve found an open IP though, you still need to take care to avoid IP conflicts if your network uses DHCP (Dynamic Host Configuration Protocol). Please also be aware that one of these techniques uses the
nmap network scanning program, which may be against policy in some environments. Even if it’s not against corporate policy, the
nmap man page states that “there are administrators who become upset and may complain when their system is scanned. Thus, it is often advisable to request permission before doing even a light scan of a network.”2
The first technique that we’re going to cover is the use of the
arping command to tell if a single address is in use.
arping uses ARP (Address Resolution Protocol) instead of ICMP (Internet Control Message Protocol) packets. The reason this is significant is because many firewalls will block ICMP traffic as a security measure. So when using ICMP you’re never sure whether the host is really down, or if it’s just blocking your pings. ARP pings will almost always work because ARP packets are used to provide the critical network function of resolving IP addresses to MAC (Media Access Control) addresses. Hosts on an Ethernet network will use these resolved MAC addresses to communicate instead of IPs. Be aware that one case in which ARP pings will not work is when you’re not on the same subnet as the host you’re trying to ping. This is because ARP packets are not routed. See Resource #3 below for more details.
arping has several options, but the three that we’ll be focusing on here are
-c . The
-I option specifies the network interface that you want to use. In many cases you might use
eth0 as your interface, but I’m using a laptop connected via wireless and my interface is
wlan0 . The
-D option checks the specified address in DAD (Duplicate Address Detection) mode. Let’s look at an example.
$ arping -I wlan0 -D 192.168.1.1 ARPING 192.168.1.1 from 0.0.0.0 wlan0 Unicast reply from 192.168.1.1 [D4:4D:D7:64:C6:5F] for 192.168.1.1 [D4:4D:D7:64:C6:5F] 2.094ms Sent 1 probes (1 broadcast(s)) Received 1 response(s)
You can see that I’m pinging 192.168.1.1 (a known router) with the
-D option. If no replies are received DAD mode is considered to have succeeded, and you can be reasonably sure that address is free for use. Listing 2 shows an example of what you would see if the address is not in use.
$ arping -I wlan0 -c 5 -D 192.168.1.76 ARPING 192.168.1.76 from 0.0.0.0 wlan0 Sent 5 probes (5 broadcast(s)) Received 0 response(s)
Here I’ve picked a different network address that I knew would be unused. I’ve also added the
-c option mentioned above so that I could have
arping stop after sending 5 requests. Otherwise
arping would keep trying until I interrupted it (possibly via the Ctrl-C key combo).
Armed with this information and a knowledge of any dynamic addressing scheme on my network, I can set a temporary static IP for a host. See Resource #1 for more information on
nmap, which stands for “Network MAPper”, was “designed to rapidly scan large networks…to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.”2 We’ll be using this to find all of the currently used IP addresses on the network.
nmap has many options and is a very deep utility, and I highly suggest spending some time reading its man page. Of all these options, the only one that we’ll be dealing with in this quick tech tip is
-e option allows you to specify the interface to use when scanning the network. This is similar to the
-I option of
arping. The example below shows a simple usage.
$ nmap -e wlan0 192.168.1.0/24 Starting Nmap 5.21 ( http://nmap.org ) at 2011-08-23 11:13 EDT Nmap scan report for 192.168.1.1 Host is up (0.033s latency). Not shown: 996 closed ports PORT STATE SERVICE 23/tcp open telnet 53/tcp open domain 80/tcp open http 5000/tcp open upnp Nmap scan report for 192.168.1.7 Host is up (0.00015s latency). Not shown: 997 closed ports PORT STATE SERVICE 111/tcp open rpcbind 5900/tcp open vnc 8080/tcp open http-proxy Nmap scan report for 192.168.1.10 Host is up (0.033s latency). Not shown: 995 closed ports PORT STATE SERVICE 22/tcp open ssh 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 2049/tcp open nfs Nmap done: 256 IP addresses (3 hosts up) scanned in 4.22 seconds
The first thing to notice is the notation that I used to specify the network submask (
/24). If you’re unfamiliar with this notation, please see Resource #5 below. The next thing to notice is that
nmap gives us a lot more information than just what IPs are in use.
nmap also shows us things like what ports are open on each host, and what service it thinks is running on each port. As a network administrator you can use this information to get a quick overview of your network, or you can dig deeper into
nmap to perform in-depth network audits. In our case we’re just looking for an open IP address to use temporarily, so we can choose one that’s not listed. Again, care needs to be taken when statically setting IPs on a network with DHCP. Have a look at Resource #4 for a more comprehensive guide to using
That concludes this Tech Tip. Have a look at innovationsts.com for other tips, tricks, how-tos, and service offerings available from Innovations Technology Solutions. Thanks, and stay tuned for more from Innovations.