Display list of computers on a LAN in Linux
I’m a web dev who is trying to get a better handle on security. I’m trying to figure out a way (on Linux/Debian based distros) to list all computers on the same LAN my netbook is on. I tried «arp -n» but I don’t feel it’s a complete list, as my iPhone is on the same wi-fi router as my netbook, and that didn’t come up. Is there some better way to get a full list of machines that are all sharing the same gateway?
11 Answers 11
Get nmap. It’s the program Trinity used in The Matrix and you can do a scan to find all of the devices that are connected to the LAN you’re on and more.
OK. Looks like «sudo nmap -sL 123.123.123.*» is what I’m looking for, or maybe -sP instead of -sL. Thanks!
This is what I use, nmap, and an address using CIDR block notation of the network you want to scan. First you need to install nmap as it may not come pre-installed with you distro. On Ubuntu:
Next figure out your network address by using ifconfig:
ifconfig output for the interface I want to scan:
wlan1 Link encap:Ethernet HWaddr 00:1f:3b:03:d2:bf inet addr:192.168.1.104 Bcast:192.168.0.255 Mask:255.255.255.0 inet6 addr: fe80::21f:3bff:fe03:d2bf/64 Scope:Link . Use the inet addr and Mask to figure out the network address in CIDR notation, more on CIDR here. The address is:
Run nmap using -sP parameter, which will scan no further than checking if the host is online:
nmap output will look something like this:
Starting Nmap 5.21 ( http://nmap.org ) at 2014-12-09 10:52 EST Nmap scan report for 192.168.1.1 Host is up (0.013s latency). MAC Address: -MAC ADDRESS- (Cameo Communications) . Nmap done: 256 IP addresses (5 hosts up) scanned in 3.26 seconds That’s it, if you need more help with nmap, see the nmap official documentation, or run:
nmap -sA 192.168.1.0/24 nmap option -sA shows similar descriptive results with better readability , which includes device name, IP, mac, etc as with option -sP .. I personally prefer -sA over -sP for the readability sake.
@Jayzcode On my machine -sA is never returning, while -sP took only 3.73 seconds (detected the router, my PC and another PC). Any idea why?
@Rodrigo the -sA option also scans 1000 ports on the hosts, which may take time. It doubled the execution time for me. If you just want to know the list of connected devices, keep the -sP option.
arp -n only shows you machines on your LAN that your machine has already talked to. You can get that list to populate better by pinging the broadcast and all-hosts multicasts addresses:
The «all ones» (in binary) broadcast address. Note that most IP stacks will translate this to the subnet broadcast addresses for all subnets you’re attached to:
The subnet broadcast address for your current subnet. So assuming you’re on 192.168.1.0/24:
The «all hosts» multicast address. I like this one a lot because it’s more likely to find hosts configured for other IP subnets, that happen to be attached to the same Ethernet LAN as you:
Note that this method, and the other methods I’ve seen mentioned in other Answers so far, only look for IP-reachable hosts on the current network. That’s probably all you need to care about, but it’s possible for an attacker to snoop on, or do bad things to, a network without being visible via IP.
ip neigh and hosts . NO nmap required / NO sudo requied.
Building on this, you can build a Python script:
#!/usr/bin/env python """List all hosts with their IP adress of the current network.""" import os out = os.popen('ip neigh').read().splitlines() for i, line in enumerate(out, start=1): ip = line.split(' ')[0] h = os.popen('host <>'.format(ip)).read() hostname = h.split(' ')[-1] print("3>: <> (<>)".format(i, hostname.strip(), ip)) wget https://gist.githubusercontent.com/MartinThoma/699ae445b8a08b5afd16f7d6f5e5d0f8/raw/577fc32b57a7f9e66fdc9be60e7e498bbec7951a/neighbors.py (or simply arp . I didn’t see that before)
nmap scan
To scan the status of a range of IP addresses, this is nice and simple:
-sn: Ping Scan - disable port scan I did this on Mac OS X (which is based on BSD). I am not sure if the Linux version has any differences.
Brilliant, all I had to to was type: sudo nmap -sP 192.168.178.0-255. This did a scan in the subnet I am in.
You could use fping sudo apt-get install fping (in debian-like OSs).
fping is similar to ping, but much better performing when pinging multiple hosts. The -r 1 flag tells fping to perform only one round. The 2>1 part allows grep to filter the output.
$ fping -g -r 1 192.168.1.0/24 2>1 | grep "alive" Would display something like:
192.168.1.1 is alive 192.168.1.10 is alive 192.168.1.15 is alive 192.168.1.27 is alive There is also an interesting flag for nmap that would let you see the MAC vendor — if known. Use with sudo in order to see the MAC addresses.
You would get for instance:
Starting Nmap 7.40 ( https://nmap.org ) at 2019-05-23 18:49 CEST Nmap scan report for 192.168.1.14 Host is up (-0.036s latency). MAC Address: 20:F4:1B:E5:8F:7B (Shenzhen Bilian electronic) Nmap scan report for 192.168.1.15 Host is up (-0.084s latency). MAC Address: A4:31:35:E8:58:9E (Apple) Nmap scan report for 192.168.1.27 Host is up (-0.15s latency). MAC Address: 34:8A:7B:38:E3:14 (Samsung Electronics) Nmap scan report for 192.168.1.29 Host is up (0.010s latency). MAC Address: 80:2B:F9:75:F8:FF (Unknown) Nmap scan report for 192.168.1.10 Host is up. Nmap done: 256 IP addresses (5 hosts up) scanned in 25.52 seconds I didn’t find the existing answers satisfying enough, so I thought I’d give a try. After all, the FAQ suggests to provide context for links.
nmap is great, if a little confusing to use. Here’s something I run to discover local network devices that’s mostly copy-paste-able. nmap -sP (or nmap -sn ) scans by pinging. There are other options for ‘host discovery’, like with nmap -sL or nmap -Pn .
Way #1.
ehtesh@x200arch:~$ # my wireless interface is listed as wlp3s0. Yours could be wlan0 or eth1. ehtesh@x200arch:~$ ip addr show wlp3s0 | grep "inet " inet 172.18.72.53/22 brd 172.18.75.255 scope global wlp3s0 ehtesh@x200arch:~$ arp -a ? (172.18.72.1) at c8:4c:75:76:bd:74 [ether] on wlp3s0 ehtesh@x200arch:~$ nmap -sP 172.18.72.0/24 Starting Nmap 6.41SVN ( http://nmap.org ) at 2013-12-17 20:08 EST Nmap scan report for 172.18.72.2 Host is up (0.017s latency). Nmap scan report for 172.18.72.253 Host is up (0.13s latency). Nmap done: 256 IP addresses (17 hosts up) scanned in 5.74 seconds ehtesh@x200arch:~$ arp -a | sort -n -k 1,1 ? (172.18.72.126) at ec:35:86:4a:37:d2 [ether] on wlp3s0 ? (172.18.72.148) at 10:9a:dd:b8:79:71 [ether] on wlp3s0 ? (172.18.72.178) at 9c:20:7b:7b:08:ba [ether] on wlp3s0 ? (172.18.72.1) at c8:4c:75:76:bd:74 [ether] on wlp3s0 ? (172.18.72.253) at b8:78:2e:19:05:0b [ether] on wlp3s0 ? (172.18.72.2) at 00:14:1c:da:e1:c2 [ether] on wlp3s0 ? (172.18.72.40) at d8:c7:c8:ca:f9:88 [ether] on wlp3s0 ? (172.18.72.43) at d8:c7:c8:ce:0f:60 [ether] on wlp3s0 ? (172.18.72.44) at d8:c7:c8:ce:0f:68 [ether] on wlp3s0 ? (172.18.72.45) at 6c:f3:7f:c6:71:16 [ether] on wlp3s0 ? (172.18.72.46) at 6c:f3:7f:c4:4c:b3 [ether] on wlp3s0 ? (172.18.72.47) at d8:c7:c8:ca:f9:88 [ether] on wlp3s0 ? (172.18.72.48) at 24:de:c6:c6:b6:78 [ether] on wlp3s0 ? (172.18.72.49) at 24:de:c6:c6:b6:e6 [ether] on wlp3s0 ? (172.18.72.51) at 00:9c:02:d0:4c:4e [ether] on wlp3s0 ? (172.18.72.54) at 00:23:76:99:99:bf [ether] on wlp3s0 ? (172.18.72.62) at 8c:70:5a:0d:06:18 [ether] on wlp3s0 ? (172.18.72.63) at 7c:e9:d3:51:86:55 [ether] on wlp3s0 ? (172.18.72.64) at a0:88:b4:47:eb:c8 [ether] on wlp3s0 Way #2. I know this works, but I can’t say if this is the right way to go.
ehtesh@x200arch:~$ #ifconfig | grep broadcast ehtesh@x200arch:~$ ip address show wlp3s0 | grep brd link/ether 00:1e:65:bf:1b:42 brd ff:ff:ff:ff:ff:ff inet 172.18.72.53/22 brd 172.18.75.255 scope global wlp3s0 ehtesh@x200arch:~$ ping -b -c 3 -i 20 172.18.75.255
I’d be happy to know if there are more effective ways. Until then, I’m sticking to this.
Getting list of network devices inside the Linux kernel
I’ve been looking through net/core/dev.c and other files to try to find out how to get the list of network devices that are currently configured and it’s proving to be a little difficult to find. The end goal is to be able to get network device statistics using dev_get_stats in dev.c, but I need to know the current interfaces so I can grab the net_device struct to pass in. I’m having to do this inside the kernel as I’m writing a module which adds in a new /proc/ entry which relates to some statistics from the current network devices so from what I can gather this must be done inside the kernel. If someone could point me to how to get the interfaces it would be much appreciated.
2 Answers 2
This ought to do the trick:
#include struct net_device *dev; read_lock(&dev_base_lock); dev = first_net_device(&init_net); while (dev) < printk(KERN_INFO "found [%s]\n", dev->name); dev = next_net_device(dev); > read_unlock(&dev_base_lock); Given a struct net *net identifying the net namespace that you are interested in, you should grab the dev_base_lock and use for_each_netdev() :
read_lock(&dev_base_lock); for_each_netdev(net, dev) < /* Inspect dev */ >read_unlock(&dev_base_lock); (In newer kernels, you can use RCU instead, but that is probably an overcomplication in this case).
To obtain the net namespace to use, you should be registering your proc file with register_pernet_subsys() :
static const struct file_operations foostats_seq_fops = < .owner = THIS_MODULE, .open = foostats_seq_open, .read = seq_read, .llseek = seq_lseek, .release = foostats_seq_release, >; static int foo_proc_init_net(struct net *net) < if (!proc_net_fops_create(net, "foostats", S_IRUGO, &foostats_seq_fops)) return -ENOMEM; return 0; >static void foo_proc_exit_net(struct net *net) < proc_net_remove(net, "foostats"); >static struct pernet_operations foo_proc_ops = < .init = foo_proc_init_net, .exit = foo_proc_exit_net, >; register_pernet_subsys(&foo_proc_ops) In your foostats_seq_open() function, you take a reference on the net namespace, and drop it in the release function:
static int foostats_seq_open(struct inode *inode, struct file *file) < int err; struct net *net; err = -ENXIO; net = get_proc_net(inode); if (net == NULL) goto err_net; err = single_open(file, foostats_seq_show, net); if (err < 0) goto err_open; return 0; err_open: put_net(net); err_net: return err; >static int foostats_seq_release(struct inode *inode, struct file *file) < struct net *net = ((struct seq_file *)file->private_data)->private; put_net(net); return single_release(inode, file); > The foostats_seq_show() function can then obtain the net , walk the devices, gather the statistics and produce the output:
static int sockstat6_seq_show(struct seq_file *seq, void *v) < struct net *net = seq->private; struct net_device *dev; int foostat, barstat; read_lock(&dev_base_lock); for_each_netdev(net, dev) < /* Inspect dev */ >read_unlock(&dev_base_lock); seq_printf(seq, "Foo: %d\n", foostat); seq_printf(seq, "Bar: %d\n", barstat); return 0; > How can I find available network interfaces?
This is in regard to linux, but if anyone knows of a general *nix method that would be good. I booted a system yesterday with an ethernet cable plugged in. «NetworkManager» is not installed, so once it started I went to look for the name of the ethernet interface with ifconfig to start a DHCP client manually, but it did not show anything other than lo . The NIC was listed via lspci , and the appropriate kernel driver was loaded. The system normally uses wifi, and I could remember the interface name for that was wlan0 . When I tried ifconfig wlan0 up , wlan0 appeared. But the only ethernet interface names I could remember were eth[N] and em[N] — neither of which worked. This document refers to «predictable interface names» but does not do a good job of explaining what they might be in simple terms. It does refer to a piece of source code which implies the name in this case might be deduced from the the PCI bus and slot numbers, which seems like an unnecessarily complicated hassle. Other searching around led me to believe that this might be determined by systemd in conjunction with udev , but there are almost 100 files in /usr/lib/udev/rules.d and spending an hour trying to determine where (and if) there’s a systemd config file for this also seems ridiculous. It would also be nice to know for certain that they are available, not just how they might be named if they are, so I can rule out hardware problems, etc. Isn’t there a simple way to find the names of available network interfaces on linux?
In the question you state that you used ip link but then you accept an answer that suggests ip link show which does the exactly same thing. Why?
The manual pages for iproute2 are quite good nowadays, I guess you’re using and older version of the package.