How to find unused IP Address on a network?

It will change. Your router will hand out ips and assign them as it sees fit. Now normally it starts at the bottom so stuff around the 200's is always free.

Agree with getochkn...

In addition there are several free network scanners available along with various network tools that can list IP addresses in use.

E.g., Advanced IP scanner, nmap, and so forth. Just google something like "network utilities", "network mapping".

As always, be careful about the source of the download(s) and the products themselves. Lots of iffy apps out there but if you take a bit of time you will find some good utilities from which to pick. I am sure that there are other posters within this forum that can suggest specific products.

Ping every single IP and then use ARP -a from cmd window. Even though a device may not respond to a ping it will respond to the ARP that the computer did right before the ping. You are looking for entrys that have a row of zeros and says invalid most times.

Hello,

I have been tinkering within Powershell and decided to try to automate the process to find unused IP addresses.....

I.e., Pinging the range 192.168.1.100-192.168.1.105 and then executing arp -a

-------------- Here is the Powershell .ps1:

#Ping an IP address range by IP
#Then use ARP -a to flag invalid IPs
$networkIP = "192.168.1."
For ($i=100; $i -lt 105; $i++)
{

$IP = $networkIP + $i

ping $IP

}

arp -a

----------------Here are the results:


Pinging 192.168.1.100 with 32 bytes of data:
Reply from 192.168.1.100: bytes=32 time<1ms TTL=64
Reply from 192.168.1.100: bytes=32 time<1ms TTL=64
Reply from 192.168.1.100: bytes=32 time<1ms TTL=64
Reply from 192.168.1.100: bytes=32 time<1ms TTL=64

Ping statistics for 192.168.1.100:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

Pinging 192.168.1.101 with 32 bytes of data:
Reply from 192.168.1.101: bytes=32 time<1ms TTL=64
Reply from 192.168.1.101: bytes=32 time<1ms TTL=64
Reply from 192.168.1.101: bytes=32 time<1ms TTL=64
Reply from 192.168.1.101: bytes=32 time<1ms TTL=64

Ping statistics for 192.168.1.101:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

Pinging 192.168.1.102 with 32 bytes of data:
Reply from 192.168.1.102: bytes=32 time<1ms TTL=128
Reply from 192.168.1.102: bytes=32 time<1ms TTL=128
Reply from 192.168.1.102: bytes=32 time<1ms TTL=128
Reply from 192.168.1.102: bytes=32 time<1ms TTL=128

Ping statistics for 192.168.1.102:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

Pinging 192.168.1.103 with 32 bytes of data:
Reply from 192.168.1.102: Destination host unreachable.
Reply from 192.168.1.102: Destination host unreachable.
Reply from 192.168.1.102: Destination host unreachable.
Reply from 192.168.1.102: Destination host unreachable.

Ping statistics for 192.168.1.103:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Pinging 192.168.1.104 with 32 bytes of data:
Reply from 192.168.1.102: Destination host unreachable.
Reply from 192.168.1.102: Destination host unreachable.
Reply from 192.168.1.102: Destination host unreachable.
Reply from 192.168.1.102: Destination host unreachable.

Ping statistics for 192.168.1.104:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Interface: 192.168.1.102 --- 0xa
Internet Address Physical Address Type
192.168.1.1 94-10-3e-00-34-95 dynamic
192.168.1.100 00-1e-8f-99-ef-d1 dynamic
192.168.1.101 00-90-a9-b3-79-bc dynamic
192.168.1.255 ff-ff-ff-ff-ff-ff static
224.0.0.2 01-00-5e-00-00-02 static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
239.255.255.250 01-00-5e-7f-ff-fa static
255.255.255.255 ff-ff-ff-ff-ff-ff static

-------------End of results.

Not really sure about how to interpret the results even if I have all of the commands etc. correct. "Destination host unreachable" would imply an IP not it use but could also mean a static IP device just not online.

Should arp -a be truly at the end of the ping loop or executed after each ping?

Just trying to learn here. Thanks.

Arp is issue right before the the ping....it must get the mac address. If it fails can't actually send the ping packets because it does not know where to send it. Of course ones outside the subnet are send to the mac of the gateway which is generally always has.

Arp entries for things that do not respond are timeout very quickly. Entries for valid things also timeout pretty quickly on some OS. I forget the exact values but it is much less than many routers which many times will keep the entries for hours.

I think he's asking whether you need to query the ARP after each ping, or after all the pings (at the end of the loop).

I don't think I'd even bother with the ARP; simply looking for "Destination Host Unreachable" (as opposed to timed out) should tell you that there is no ARP entry.

It isn't really possible to search for devices with a static IP not connected to the network. Using static IPs tends to be a bad idea if you don't have a really good record of what's where.

Forcing it to a count of one and reducing the timeouts would probably make it a lot faster; we shouldn't be dealing with 300ms+ round trips on a local network.

The only reason I mention arp is windows firewall in certain cases will not respond to ping command. I am not sure what level you set the firewall to but there is one that discards does not respond to ping

Yes, but if it simply ignores the ping it will give "request timed out" (I think. Not in front of a Windows box right now). No MAC to send it to would result in the "Destination host unreachable" error above.

I did not know that thanks.

For example: (I don't think I've got any boxes on the local network that won't respond to pings, but I think it should act the same)

$ ping -c1 microsoft.com
PING microsoft.com (134.170.185.46) 56(84) bytes of data.

--- microsoft.com ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

Click to expand...

Normal reply:

$ ping -c1 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.358 ms

--- 192.168.1.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.358/0.358/0.358/0.000 ms

Click to expand...

No device using that IP:

$ ping -c1 192.168.1.2
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
From 192.168.1.136 icmp_seq=1 Destination Host Unreachable

--- 192.168.1.2 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms

Click to expand...

Ping on Windows formats it differently, but I think you should still be able to tell the difference between unreachable and not responding.

PS: Naughty MS, not responding to pings.

Thanks.

Played around with it all a bit more (e.g., used a single ping, varied where arp was placed, etc.) but pretty much in the mind that the results will always be suspect. I.e., unreachable vs not responding vs straight out "here is an unused IP address you can use" as Oleg11K is seeking

Discovered that one of my static devices was not showing up - not sure what that is all about.... Something to look into there.

Found some code examples where results like "Destination Host Unreachable" could be parsed out and changed to something like "IP address available" Parsing around for MAC addresses could be one way. Starting to get a bit messy and cumbersome beyond what I like. Still more to learn though.

Best use, in my mind, would be some script that would process a list of IP addresses known to be outside of the dynamic addresses available via the router. May expand into some attempts to incorporate native nmap commands, pipe the output data into a file, and parse it all via a database. Might even be able to use Excel if the output is fairly consistent. Perhaps more of a general exercise than useful but interesting things often turn up.

Anyway still would not prove that any given "unused" IP address was really available unless other factors are known (and known with some degree of certainty) about the user environment. "The absence of a signal should never be used as a signal..." or something like that as the quote goes.

Advanced IP scanner shows both active and inactive devices on my little network (primarily dynamic DHCP but with a couple of reserved (by MAC) static IPs. But I think the inactive devices only show up because the first scan data was saved and did not match the most recent scan. Any devices found in the previous scan but not in the following scan are greyed out.