If you want to know what IP addresses are actually in use in your network, your only option is pretty much to scan them all. Very often, this is something one would do using the ping command. Ping, which has been around almost as long as IP networking, is probably the best ways to test for connectivity to a given IP address. So, by successively pinging all IP addresses in a network, one can get a pretty good picture of which ones are in use and which ones are available.
However, in all be the smallest of networks with only a handful of IP addresses, this can quickly turn into quite a chore. Fortunately, tools exist that will automatically scan a group of IP addresses and report on their responsiveness. Today, we’re reviewing some of the best IP scanners for Linux that will simplify your life when you have to scan IP addresses.
To begin, we’ll be discussing IP address scanning in general. More specifically, we’ll have a look at why one would scan IP address because, as much as it’s nice to know which IP addresses are in use, there’s got to be a point to doing it. Next, we’ll have a deeper look at the ping utility. Even though ping is not a scanning tool, this utility is at the core of most IP address scanning tools. Knowing how it works or what it can do will most likely be valuable when we start looking at the different available scanning tools. And talking about the scanning tools, our next order of business will be to not only list but also briefly review some of the best IP scanners for Linux and explore their main features and differentiating factors.
Scanning IP Addresses
Other than the pure fun and enlightenment of knowing what IP addresses are in use, there are several reasons one would want to scan IP addresses. First and foremost is security. Scanning IP addresses on a network allows you to quickly discover unauthorized devices. These could, for instance, be devices connected by malicious users to spy on your organization.
But even well-intentioned users can sometimes wreak havoc by connecting their personal devices. I recall that user who prevented many of his colleagues from accessing the corporate network when he connected his home Internet router to it. He just needed a couple of extra ports to connect an additional test computer and thought he could use the switch built into his router. Unbeknownst to him, the router started issuing IP addresses from its built-in DHCP server. And several of his colleagues got assigned erroneous IP addresses.
Other than for security reasons, scanning IP addresses is also the first step in any attempt at IP address management. While many—if not all—IP address management (IPAM) tools do include some form of IP address scanning, many choose to manage IP address using a manual process instead of an integrated tool. In these situations, IP address scanning tools become a necessity.
For people without any kind of formal IP address management process, scanning IP addresses is possibly even more important. It will often be the only way to ensure that there are no IP address conflicts. It can, in fact, be considered a rather crude way of pseudo-managing IP addresses.
Ping In A Nutshell
No matter what you need for scanning IP addresses is, most tools are based on Ping. Let’s have a look at this ubiquitous albeit antique utility. Ping was created out of necessity back in 1983 proving once more that necessity is the mother of invention. Its developer needed a tool to help in debugging an abnormal network behaviour he was observing. Its name refers to the sound of sonar echoes as heard in submarines. Today, ping is present on almost every operating system, yet its implementation varies somewhat between platforms. Some versions are offering multiple command-line options which can include parameters such as the size of each request’s payload, the total test count, the network hops limit, or the interval between requests. Some systems have a companion Ping6 utility that serves the exact same purpose but uses IPv6 addresses.
Here’s a typical use of the ping command:
$ ping -c 5 www.example.com PING www.example.com (184.108.40.206): 56 data bytes 64 bytes from 220.127.116.11: icmp_seq=0 ttl=56 time=11.632 ms 64 bytes from 18.104.22.168: icmp_seq=1 ttl=56 time=11.726 ms 64 bytes from 22.214.171.124: icmp_seq=2 ttl=56 time=10.683 ms 64 bytes from 126.96.36.199: icmp_seq=3 ttl=56 time=9.674 ms 64 bytes from 188.8.131.52: icmp_seq=4 ttl=56 time=11.127 ms --- www.example.com ping statistics --- 5 packets transmitted, 5 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 9.674/10.968/11.726/0.748 ms
The “-c 5” option in the above example tells Ping to repeat five times.
How Ping Works
Ping is a pretty simple utility. All it does is sending ICMP echo request packets to the target and waiting for it to send back an ICMP echo reply packet. This process is repeated a certain number of times—five by default under windows and until it is manually stopped by default under most Unix/Linux implementations. Once the command terminates, response statistics are compiled and displayed. The utility calculates the average delay between the requests and their respective replies and displays it in its results. On most *nix variants, it will also display the value of the replies’ TTL (time to live) field, giving an indication of the number of hops between source and destination.
For the command to work, the pinged host must abide by RFC 1122. The standard specifies that any host must process ICMP echo requests and issue echo replies in return. And while most hosts do reply, some disable that functionality for security reasons. Firewalls also often block ICMP traffic. To circumvent this, the better IP address scanning tools can use a type of packet different from ICMP to check if an IP address is responding. Pinging a host which does not respond to ICMP echo requests will provide no feedback, which is exactly like pinging a non-existent IP address.
The Best IP Scanners For Linux
Our selection of IP address scanning tools includes a bit of everything. There is a combination of GUI-based tools and command-line utilities on our list. Some are more complex tools while others are extended versions of the ping utility that include some way of scanning a range of IP addresses without having to issue multiple successive commands. All of the tools on our list have a couple of thing in common: The run under the Linux operating system and, given a range of addresses to scan, they will return a list of what IP addresses are responding.
1. Angry IP Scanner
The Angry IP Scanner is a deceptively simple tool which makes extensive use of multithreading. This makes it one of the fastest tools on our list. This is a free multi-platform tool which is available for Linux—of course, Windows, and Mac OS X. This tool is written in Java so you’ll need to have the Java runtime module installed to use it. Most package managers will take care of this dependency, though. The tool does not only ping IP addresses, but it can also optionally run a port scan on discovered hosts. It can resolve IP addresses to hostnames and MAC addresses to vendor names. Furthermore, this tool will provide NetBIOS information—when available—about each responding host.
The Angry IP Scanner can scan complete networks and subnets but it can also an IP addresses range or even a discrete list of IP addresses from a text file. This tool is primarily GUI-based but it also comes with a command-line version that you can use if, for instance, you want to include the tool’s functionality in home-brewed shell scripts. As for the scan results, they are by default displayed on the screen in table format but they can easily be exported to several file formats such as CSV or XML.
The arp-scan tool (sometimes referred to as ARP Sweep or MAC Scanner) is another fast ARP packet scanner. The tool will list every active IPv4 device on the subnet it scans from. It is one of the tools that does not rely on ping to scan the network. Instead, it uses the ARP (Address Resolution Protocol), a technology typically used to find the correspondence between IP addresses and MAC addresses. Since ARP is a non-routable protocol, this scanner can only work on the local network (local subnet or network segment).
The arp-scan tool will display all active devices even if they have built-in firewalls of filtering schemes blocking ICMP packets. Devices simply cannot hide from ARP packets as they can hide from ping. This makes this a very useful tool for highly secure environments with numerous hardened devices.
Nmap, which stands for Network Mapper, is a scanning tool that can be used to discover hosts and services, thus building a “map” of the network, hence the name. This tool operates by sending specially crafted packets to the target hosts—somewhat like ping but not necessarily using ICMP—and by analyzing the responses it gets.
The tool’s primary use is in analyzing what services are available on a computer. It can, however, be used as an IP address scanner. This tool can discover hosts and their services and it can also detect their operating system and more. Using scripting, the tool can be even used for advanced service detection, vulnerability detection, and more.
Nmap, which is a command-line tool started as a Linux-only utility but it has since been ported to several other operating systems including Windows, Solaris, HP-UX, most BSD variants including OS X, AmigaOS, and IRIX. If you prefer graphical user interfaces, several GUI front-ends to Nmap have been released. One of the best one goes by the name Zenmap and it is from the same team as Nmap. You can, therefore, expect a good integration between the two tools. Zenmap, when compared to Nmap is much easier to learn and master, thanks to a well-designed user interface. Although it might not be the prettiest tool, it has some great functionality.
Fping was created as an improvement over ping, then one of the only network troubleshooting tools available. It is a similar command-line tool but it is rather different. Like ping, Fping uses ICMP echo requests to determine which of the target hosts are responding but this is pretty much where the similarity ends. While ping only accepts a single IP address as a parameter, Fping can be called with many target IP addresses. The targets can be specified as a space-delimited list of IP addresses. The utility can also be provided with the name of a text file containing a discrete list of addresses. Finally, an IP address range can be specified or a subnet can be entered in CIDR notation such as 192.168.0.0/24.
One of the great features of Fping is how it does not wait for a response before sending the next echo request. This greatly helps reduce the time lost waiting for unresponsive IP addresses, making for a much faster tool. Fping also has lots of command-line options that you can use and since it is a command-line tool, you can pipe its output to another command—such as grep, for example—for further processing.
Hping is another free command-line tool derived from ping. It is available on most, if not all Unix-like operating systems including common Linux distributions as well as on Mac OS X and Windows. Despite no longer being in active development, this tool is still easily available and in widespread use. The tool closely resembles ping yet it is quite different. For instance, Hping won’t only send ICMP echo requests. It can also send TCP, UDP or RAW-IP packets. This can help with scanning highly secure networks. There is also a traceroute mode—more about that in a moment—and the tool has the ability to send files.
Hping can be used as an IP address scanning tool but it can do more than that. The tool has some advanced ports scanning features. Thanks to its use of multiple protocols, it can also be used to perform basic network testing. This product also has some advanced traceroute capabilities using any of the available protocols. This can be useful as some devices treat ICMP traffic differently from other traffic. By mimicking other protocols, this tool can give you a better evaluation of your network’s true, real-life performance.
6. Spiceworks IP scanner
Spiceworks started back in 2006 in Austin, Texas as a professional network for the information technology industry although it was originally created to build IT management software. Today, Spiceworks is an online community allowing users to collaborate with one another and also participate in a marketplace to purchase IT services and products. Spiceworks is estimated to be used by more than six million IT professionals and three thousand technology vendors.
But, as we indicated, Spiceworks is also a software developer and publisher. He company has three main products. There’s a help desk management platform called Spiceworks Help Desk, an IT assets inventory management tool called Spiceworks Inventory and a network monitoring platform called Spiceworks Network Monitor. And while these tools are not open-source, they are available for free to anyone.
Spiceworks also makes a few handy tools, one of them called the IP scanner. The tool will let you do either a basic scan or an extended one with detailed information. You can use the tool to discover the devices on your network automatically while gathering basic information such as operating system or MAC address. Alternatively, you can also get detailed hardware and software information on your workstations and servers like CPU, storage, memory, installed software, serial number, and lots more. This tool is like an IP scanner on steroids.
MASSCAN, created by Robert Graham, claims to be the fastest port scanner. The tool produces results which are similar to what you’d get with Nmap, reviewed above. However, it internally operates more like scanrand, unicornscan, and ZMap, and, like these, it uses asynchronous transmission. The major difference is that this tool is faster than these other scanners. Furthermore, this tool is somewhat more flexible and it will, for instance, allow arbitrary address ranges and port ranges.
MASSCAN uses a custom TCP/IP stack rather than the one that comes with your operating system. As a result, anything other than simple port scans will cause conflicts with the local TCP/IP stack. TO get around this limitation, you can either use the -S option to use a separate IP address, or you can configure your operating system to firewall the ports that the tool uses.
8. Umit Network Scanner
The Umit Network Scanner is another Nmap front end, much like Zenmap. The tool was designed to accommodate and run more than one scan at a time. This is a great feature when you have multiple subnets or IP address ranges to scan. Each scan is executed and its results displayed inside a Scan Tab, which has a title and where every information obtained as a result of the scan is neatly presented.
The idea behind the Scan Tab is to try to make your life easier by making the information easier to navigate and by facilitating the search for any specific piece of information. Scanning an entire network using Nmap would typically require that you open up your favourite terminal, type a potentially complex Nmap command, wait for the results, and then move to the next subnet. The Umit Network Scanner makes it much more intuitive.
While there are tons of IP scanners for Windows, we’ve seen that, while there are not as many options for Linux, several excellent products are available. So, if your platform of choice is Linux, don’t feel left out. Some of these products may not have fancy GUIs like some Windows tools have but you’ll most likely find a tool among our list which is a perfect fit for your needs.