I remote connect into networks frequently and there are times when I’m not sure what is on the network (like network printers, etc.) and I need to find out. Unfortunately, the system I connect to doesn’t have administrative privileges to run some of the ping sweep software available and quite frankly, I don’t want to waste clients’ time downloading ancillary software etc. so here is a command-line method for quickly identifying devices on a network. Note that this is by no means a definitive scan but I typically use this command to find network printers/devices quickly. If the systems on the network have firewalls etc, your results may vary of course.
for /L %x in (1,1,255) do @ping -n 1 192.168.0.%x -w 100 | find Reply
/L here indicates the set is a sequence of numbers.
-n indicates send one ping attempt
-w indicates wait timeout (helps speed the sweep up since default is 1 second, this is specified in miliseconds.)
Example Output:
Reply from 192.168.0.1: bytes=32 time<1ms TTL=255 Reply from 192.168.0.3: bytes=32 time<1ms TTL=64 Reply from 192.168.0.5: bytes=32 time<1ms TTL=64 Reply from 192.168.0.6: bytes=32 time=3ms TTL=60 Reply from 192.168.0.7: bytes=32 time<1ms TTL=128
Note: To get all the devices on the network, you can use the following code. This will return all hosts, even if they are not pingable:
for /L %x in (1,1,255) do @ping -n 1 192.168.0.%x -w 100 | arp -a | findstr /R /C:192.168.0.%x[ ].*ic
The and [ ].*ic are important for the findstr regex to work and return proper results. escapes the . otherwise you’d have single character matches and the [ ] matches the end of the IP address so it doesn’t return .100, .101, .102 and so on if it’s just looking for .10. The .*ic matches the end of the arp line for dynamic or static since we don’t want invalid.
I use this in a batch file and put it in my system path so I can call on it when I need it.
@echo off : Quick ping sweep using Windows 'ping'. Pass this script the first three octets of : the network you want to sweep. This isn't advanced and will sweep the whole /24. : Usage: pingsweep x.x.x : Example: pingsweep 192.168.1 color 1f for /L %%x in (1,1,255) do @ping -n 1 %1.%%x -w 25 | find Reply
Example Output
C:Users kreider>for /L %x in (1,1,255) do @ping -n 1 192.168.0.%x -w 100 | ar p -a | findstr /R /C:192.168.0.%x[ ].*ic 192.168.0.1 c8-4c-75-df-66-7f dynamic 192.168.0.3 00-1a-62-02-90-46 dynamic 192.168.0.5 00-50-56-9f-00-38 dynamic 192.168.0.6 00-01-e6-59-c7-93 dynamic 192.168.0.8 00-0f-1f-68-e6-fd dynamic
I have a better solution.
many people think ping is the way to check for live hosts. Well it isn’t.
arp is.
This is my batch script for detecting live hosts on a network.
When you run it you will see multiple cmd screens appearing – don’t be alarm, this is only for multi threading the process.
when all screens disappear, press enter and you will see all live hosts.
———————————————–
@echo off
cls
arp -d >nul
for /L %%x in (1,1,255) do @start ping -n 1 10.20.30.%%x -w 1 >nul
pause
arp -a | find 10.20.30.
pause
—————————————————–
notes:
1. Change the 10.20.30 to the network you want to scan (both in the for command and in the arp -a command).
2. For the arp -d to work you need local admin on the machine, but you can delete this line. you need it to remove the old arp table.
enjoy.
or even a more automatic script:
——————————————————-
@echo off
cls
arp -d >nul
for /L %%x in (1,1,254) do @start ping -n 1 192.168.10.%%x -w 1 >nul
:again
timeout /t 1 /nobreak > NUL
tasklist | find /I “PING.EXE”
if %errorlevel%==0 goto next
if %errorlevel%==1 goto again
:next
cls
arp -a | find “192.168.10.”
pause
——————————————————–
Yes, I included the arp in the one-liner:
Thanks for the feedback!
You’re just deleting the arp cache before doing the ping scan so if a host does not respond to pings it will still not find it
The host does not need to respond to ICMP in order for arp discovery.
C:Windowssystem32>ping 10.147.204.65 Pinging 10.147.204.65 with 32 bytes of data: Reply from 10.147.204.65: bytes=32 time<1ms TTL=128 Ping statistics for 10.147.204.65: Packets: Sent = 1, Received = 1, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms Control-C ^C C:Windowssystem32>arp -a |find /I "65" 10.147.204.65 00-11-85-17-aa-9c dynamic C:Windowssystem32>arp -d C:Windowssystem32>ping 10.147.204.65 Pinging 10.147.204.65 with 32 bytes of data: Request timed out. Control-C ^C C:Windowssystem32>arp -a | find /I "65" 10.147.204.65 00-11-85-17-aa-9c dynamicWhere can I find the results of this script?
I have added example output to the post above. Thanks for the feedback!
Rich,
I ran the command
for /L %i in (1,1,255) do @ping -n 1 -w 25 192.168.1.%i | arp -a | findstr /R /C:”192.168.1.%i[ ]”
but did not see any output. Does it output to a file or should the results be listed in the Command Prompt?
I am running Windows Server 2008 R2.
Thanks for the help!
The output should be to the console.
I fixed some filtering errors that WordPress took out of my code. The correct line should read:
You may need to enable ICMP echos also through the firewall on your 2008 R2 box if you haven’t yet.
http://www.techish.net/windows/allow-inbound-icmp-on-server-2008-r2/