sys·ad·min·ol·o·gy [sis-ad-mih-nol-uh-jee]


  1. The scientific study of system administration and related phenomena.

Friday, 13 February 2015

A Quick Way Of Finding Free IP addresses In A Subnet

Nmap is the staple of network scanning. However by default its output can be quite hard to read. Additionally, by definition, nmap will only return what IP addresses ARE taken, as such it's left to the operator to spot gaps in the sequence.

Scan For Free IPs Using fping

UPDATE: There is an even quicker way, assuming you can install fping:

fping -r1 -u -g

The -r1 makes fping only retry once (you can tune this according to the needs of your network)
-u means only show unreachables
-g allows you to specify a subnet mask as above, or you can specify a range e.g.

fping -r1 -u -g

Ill leave my original suggestion up as an alternative

Scan For Free IPs Using NMAP

This is a (fairly) simple command I put to together to list IP addresses that are actually available, or more accurately, not responding to a ping. Of course some hosts will not respond to ping, which is why I always run a more thorough port scan with nmap once I have a candidate IP. 

Additionally, where possible, I always scan on a host that is already within the relevant network. This means I don't have to worry about intermediate security devices blocking potential scans.

So, without further ado, here it is. I've split it into three lines to make it more readable:

# subnet="10.10.10"
# takenips=$(nmap -sn -oG - ${subnet}.0/24 | awk '{print $2}' | grep -v Nmap)
# for i in {1..253}; do echo $takenips | (grep -E "${subnet}.${i}\s" > /dev/null) | echo "${subnet}.${i}";done

The first line defines the subnet you want to scan, the second line uses nmap to create a list of taken ip addresses, and the third line loops through all the ips in the subnet and outputs ip address that DO NOT appear in the list of taken IPs

As I mentioned earlier, once you have a candidate ip, make sure you scan it again with

nmap <candidate ip> 

To help ensure you avoid collisions.


  1. This works not only with IPv4 and you don't need root access.
    Gives you the staticly, DHCP (IPv4 or IPv6) or SLAAC (IPv6) assigned addresses. It will not tell your IP mapping plan though...

    In IPv6, you can try this.
    # ipv6-allnodes multicast address, no broadcast in IPv6
    ping6 -c4 -I eth0 ff02::1 # or ff02::1%eth0
    ip neigh show dev eth0

    # And this for IPv4
    # the broadcast address, see `ip address show dev eth0` for "brd"
    ping -b -c4 # This has to be adopted for your net
    ip neigh show dev eth0

  2. Hi Anders, Thanks for the suggestion. ip neigh show dev Does indeed work well, as long as you are on a device which has layer 2 access to the network you want to scan.