Linux scan ip range

Nmap: Scan IP Ranges

This tutorial explains all Nmap techniques to define IP ranges to scan.

Nmap is the most popular network scan among Linux users and network administrators. It is extremely powerful and flexible, allowing it to scan ports, IP ranges, entire networks, multiple unrelated targets, vulnerabilities, and more.

It is widely used for both network problems diagnosis and security auditing. Managing Nmap is mandatory for server, network administrators, and any user concerned on his network security.

Scanning IP ranges with Nmap (Network Mapper) network scanner is easy thanks to Nmap’s flexibility. Users can scan single targets, whole subnets, partial subnets, file lists with targets, and can even instruct Nmap to generate random targets, or to discover possible targets within a network based on specific conditions or arbitrarily.

All examples given in this document include screenshots, making it easy for all readers to understand how commands are applied.

Previous Example With Single Target

Before starting with IP ranges and multiple targets, users without experience with Nmap can see how attacks against single targets are launched.

The first introductory example shows how to scan a single target ( Nmap sees any content of the argument which isn’t an option as a target. The following example doesn’t include options, it only calls nmap and defines the target by its domain name, which can be replaced with an IP address.

Nmap reveals ports http and https are open while 996 ports remain filtered by a firewall. Nmap by default scans the 1000 main common ports only.

How to Scan IP Ranges With Nmap

Scanning a range belonging to a Class C network is easy using a hyphen to define the range. My home network is a class C network with IPs 192.168.0.X. The following example shows how to scan a specific range of hosts within my class C network, the range goes from 1 to 30:

Users can define IP ranges by implementing a hyphen between the minimum and maximum ranges (e.g, nmap

In the following example, the user scans a C class network (/24) range between IPs and

For users who are not familiar with IP classes, we have added an introduction to them at the end of the practical sections of this document.

The IP range is defined with a hyphen between 1 and 200 in the last octet destined for hosts.

In the previous example, the user scans for available hosts on addresses going from to finding 2 devices within the instructed range. nmap shows their opened ports from the most common 1000 ports.

The user can define IP ranges in all octets, as shown below.

To scan a Class B network specific range, the user can implement the same method adding a hyphen in the last 2 octets. In the following example, the last two octets of the Class B network with IP 186.33.X.X will be scanned. For the third octet, the IP range 200-220, while for the fourth octet the range 80-120 are scanned. Such a scan may take a while to end.

Читайте также:  Ккм выдает ошибку что делать

To scan an entire subnet, the user can use the CIDR format as shown below.

Nmap: Scanning Octets Using Wildcards

The examples above show how to scan ranges belonging to subnetworks Class A and B. What if rather than defining a limited range we want to scan the whole octet?

The user can define a range between 1 and 254 but can also use the wildcard (*) to instruct Nmap to check all available addresses within an octet. The following example instructs Nmap to scan all hosts of a Class C network:

Optionally, if the user scans the whole range of an octet, he can define it with a wildcard as shown in the screenshot below.

Wildcards can be used in more than one octet. In the example below, the entire IP ranges of two last octets are scanned.

Hyphens and wildcards can be combined, like in the next example, in which all last octet ranges are scanned for IPs 192.168.0.*, 192.168.1.* and 192.168.2.*.

If the user is trying to discover alive hosts, he can implement a ping sweep scan with Nmap, which will omit the port scanning. This will faster return a result.

Scanning Targets From a Targets List

Nmap allows users to scan targets defined in a list file. The list can include IP ranges and full octet scan.

As the reader can see, the list below includes domain name, IP address, IP ranges, and range combined with wildcard.

The file is named “targets”.

To import the targets from the list, the required Nmap flag is -iL followed by the list file name.

The –exclude argument allows to exclude a target from the list.

In the practical example below, the domain included in the targets list is omitted.

Scanning Random Targets With Nmap

The option -iR allows the user to instruct nmap to randomly generate targets. The user can decide how many targets Nmap will generate. To scan 50 random targets the syntax is:

The user can replace the number 50 with the number of random hosts he wants Nmap to generate.

Using Hyphens to Define Port Ranges

Hyphens are an important character for Nmap users.

This tutorial is an opportunity to show how hyphens can be implemented also to define port ranges.

In the example below, a hyphen is added to define a port range between 20 and 25.

The next example shows more than one port range can be defined with Nmap.

In the previous section dedicated to IP ranges, it was described how to exclude certain targets from a scan.

The –exclude-ports argument allows to exclude ports, or ports range as shown in the screenshot below.

For examples showing how to scan all ports unconditionally or based on specific conditions, we highly recommend reading Scanning all ports with Nmap.

About IP Classes

IP addresses are 32 bits binary numbers separated by periods in 4 sections of 8 bits each, used to identify networks and hosts. The result of the binary conversion to decimal is the IP format we always see. An example of a decimal IP address would be

When in decimal format, IP addresses consist of 4 numbers ranging from 0 to 255 separated by periods. For example:

Each of those numbers separated by periods are known as octet. In the previous example, 240 is an octet, 34 is another octet, 82 the third octet, and 213 the last one. Each octet consists of 8 bits (32 in total).

Читайте также:  Как напечатать с флешки на принтере kyocera

Depending on the IP class, some bits or octets are used to identify a network, while the rest are used to identify the hosts in the network.

The quantity of octets belonging to the network and to the host varies and is determined by the type of network or IP class. While there are 5 classes of IP addresses (for the IPV4 protocol only) for this tutorial, I’ll focus only on classes A, B, and C.

All IP addresses with the first octet going from the number 1 to 126 belong to class A. All IP addresses with the first octet going from number 128 to 191 belong to class B and All IP addresses with the first octet going from number 192 to 223 belong to class C.

Range Class Octets
1-126 Class A X.Y.Y.Y
128-191 Class B X.X.Y.Y
192-223 Class C X.X.X.Y

Where: X is the network address and Y the host address.

Therefore, if your network starts as 192.X.X.X, you have a Class C IP and only the final octet will vary to identify each device connected to your network. So, if your network is 192.168.0.X, the first 3 octets will remain and only the final octet will be different for each device, one may be, other, first 3 octets will remain as network identifiers.

Note: For deeper information on this subject, we recommend reading IP Classes Explained.


Nmap is extremely flexible allowing users to play with the syntax for custom scans. Defining targets with Nmap is part of the basic knowledge new Nmap users acquire. There is no need for advanced knowledge, by incorporating knowledge on IP classes and CIDR, users can fully understand this Nmap aspect.

Instructions previously described can be applied on all Linux distributions and even the Zenmap GUI for Nmap. Nmap is also available for Unix, Mac and Windows operating systems. Other good alternatives to Nmap you may want to check are OpenVAS, Nexpose, Nikto and Superscan, which aim to be faster than Nmap, but with a lot less functionalities.

About the author

David Adams

David Adams is a System Admin and writer that is focused on open source technologies, security software, and computer systems.


How to scan for IP addresses on your network with Linux

Account Information

Share with Your Friends

How to scan for IP addresses on your network with Linux

How to scan for IP addresses on your network with Linux

Are you having trouble remembering what IP addresses are in use on your network? Jack Wallen shows you how to discover those addresses with two simple commands.

We may be compensated by vendors who appear on this page through methods such as affiliate links or sponsored partnerships. This may influence how and where their products appear on our site, but vendors cannot pay to influence the content of our reviews. For more info, visit our Terms of Use page.

How many times have you tried to configure a static IP address for a machine on your network, only to realize you had no idea what addresses were already taken? If you happen to work with a desktop machine, you could always install a tool like Wireshark to find out what addresses were in use. But what if you’re on a GUI-less server? You certainly won’t rely on a graphical-based tool for scanning IP addresses. Fortunately, there are some very simple-to-use command line tools that can handle this task.

Читайте также:  Как подключить принтер к вай фаю с паролем

Networking: Must-read coverage

I’m going to show you how to scan your Local Area Network (LAN) for IP addresses in use with two different tools (one of which will be installed on your server by default). I’ll demonstrate on Ubuntu Server 18.04.

Let’s get started.

The arp command

The first tool we’ll use for the task is the built-in arp command. Most IT admins are familiar with arp, as it is used on almost every platform. If you’ve never used arp (which stands for Address Resolution Protocol), the command is used to manipulate (or display) the kernel’s IPv4 network neighbor cache. If you issue arp with no mode specifier or options, it will print out the current content of the ARP table. That’s not what we’re going to do. Instead, we’ll issue the command like so:

The -a option uses and alternate BSD-style output and prints all known IP addresses found on your LAN. The output of the command will display IP addresses as well as the associated ethernet device (Figure A).

Figure A

You now have a listing of each IP address in use on your LAN. The only caveat, is that (unless you know the MAC address of every device on your network), you won’t have a clue as to which machine the IP addresses are assigned. Even without knowing what machine is associated with what address you at least know what addresses are being used.

Next, we use a command that offers more options. Said command is nmap. You won’t find nmap installed on your Linux machine by default, so we must add it to the system. Open a terminal window (or log into your GUI-less server) and issue the command:

sudo apt-get install nmap -y

Once the installation completes, you are ready to scan your LAN with nmap. To find out what addresses are in use, issue the command:

nmap -sP

Note: You will need to alter the IP address scheme to match yours.

The output of the command (Figure B), will show you each address found on your LAN.

Figure B

Let’s make nmap more useful. Because it offers a bit more flexibility, we can also discover what operating system is associated with an IP address. To do this, we’ll use the options -sT (TCP connect scan) and -O (operating system discovery). The command for this is:

sudo nmap -sT -O

Depending on the size of your network, this command can take some time. And if your network is large, consider sending the output of the command to a file like so:

sudo nmap -sT -O > nmap_output

You can then view the file with a text editor to find out what operating system is attached to an IP address (Figure C).

Figure C

With the help of these two simple commands, you can locate IP addresses on your network that are in use. Now, when you’re assigning a static IP address, you won’t accidentally assign one already in use. We all know what kind of headaches that can cause.


Поделиться с друзьями