Sometimes you will want to find out more about your local area network and what machines are running at certain IP addresses. Querying the domain name server can be unreliable since some machines may be hidden, so sending a direct ping is the most reliable way of checking for the existence of a machine.
There is a lot of downloadable software out there (NMap is awesome), but the simplest and most direct way to map out machines by IP addresses is to put together a batch file script and run it from a command prompt.
In this example I will be showing how to scan using IP version 4 ranges. Specifically I will show how to scan the final two dotted decimal ranges. So for example, if you want to scan a standard network, you would want to ping the ranges:
I have written the batch scripts in this article to loop through the IP address ranges of your choice and then to save a log to a text file to record the responses of active machines on the network. These scripts do take a bit of time to run so patience is necessary. If you want to scan more quickly then you can target a specific range, or modify the scripts to just scan the final dotted decimal range.
Overview of the Scripts
The first script will run fastest since it simply records ping responses to a log file. The second script will run more slowly because it also tries to derive a machine name for each machine. Although this second script runs more slowly, it can be very useful in putting meaning to the list of returned IP addresses.
In both scripts I also output the start and end times of the script to help you to know the total run time of the script.
The First Script: Logging the IP of Active Machines in a Range of IPv4 Addresses
In the script below you can clearly see that there are two FOR loops. The outer loop cycles through the third set of decimal ranges and the inner loop cycles through the fourth set of decimal ranges. For the sake of speed, I have set the outer loop to only cycle twice and the inner loop only to cycle ten times. You’ll need to adjust these numbers and IP addresses to scan the ranges that you are interested in.
As a reminder about batch file FOR loop syntax:
- The variable %%i needs two percent signs since it is in a batch file.
- The IN part of the statement in the form of (1,1,2) means (1 = the starting number, 1 = increment by one, 2 = the end number) .
- Finally, don’t forget to put the @ sign after the DO and before the ( to suppress extra text output to the command window.
As the script loops through the network machines and dynamically puts together IP addresses generated by the two FOR loops, the results of the Ping command get output to a file called IPScanResults.txt . Notice that the full contents of each ping would have too much extraneous information, so the command does a FIND for ping the response line that contains the keyword Reply and only outputs that line, since that line contains the information we are interested in. The ping command also limits its run time to 500 milliseconds using the -w syntax since otherwise the script would possibly take too much time to execute.
Finally notice that the script logs the start time when it was first run and then outputs this both to the command console and to the log file along with the time that the script finished running. This is useful meta information for you to know on average how long your scan took to run.
@ECHO Off set startTime=%time% ECHO Starting the IP Scan FOR /L %%i IN (1,1,2) DO @( ECHO Pinging IP Range: 192.168.%%i._ FOR /L %%z IN (1,1,10) DO @( echo Pinging IP: 192.168.%%i.%%z ping -n 1 -w 500 192.168.%%i.%%z | FIND /i "Reply">>IPScanResults.txt ) ) ECHO Run Time = %startTime% to %time%>>IPScanResults.txt ECHO *** IP Scan Complete. *** ECHO Check the file called IPScanResults.txt to see the results ECHO Run Time = %startTime% to %time%
The Second Script: Logging the IP and Machine Names of Active Machines in a Range of IPv4 Addresses
This script is identical to the pure Ping response logging script in the example above. The one significant difference is that this script logs a second line of output for each IP address scanned. I’ve posted the source for this script below.
The second line that the new command in this script will output is the result of the nbtstat command. This is meant to put a descriptive machine name in pace to help you identify what machine each identified IP address actually is. The nbstat command takes a significant amount of time to run, so this slows down this script considerably. However in my opinion, the value add of getting a machine name is worth the wait.
Note that the nbstat command is not completely effective or guaranteed to resolve a name. Nbstat queries NETBIOS and attempts a number of different ways of resolving the machine name on the network. However this is unreliable and not guaranteed to work so you will need to judge for yourself its effectiveness for the network that you are taking a look at.
I found the following article at TechRepublic article about the nbstat command to be very interesting. Have a look if you are interested in finding out more about its inner workings.
Also, in case you are not getting the results from nbstat that you are expecting, try using a different keyword in the FIND command. I have set it to <20>, which is the Server name in the returned nbstat NETBIOS name registration table. A possible alternate keyword to try out might be <00>, which is the Workstation name.
@ECHO Off set startTime=%time% ECHO Starting the IP Scan FOR /L %%i IN (1,1,2) DO @( ECHO Pinging IP Range: 192.168.%%i._ FOR /L %%z IN (1,1,10) DO @( echo Pinging IP: 192.168.%%i.%%z ping -n 1 -w 500 192.168.%%i.%%z | FIND /i "Reply">>IPScanResults.txt nbtstat -A 192.168.%%i.%%z | FIND /i "<20>">>IPScanResults.txt ) ) ECHO Run Time = %startTime% to %time%>>IPScanResults.txt ECHO *** IP Scan Complete. *** ECHO Check the file called IPScanResults.txt to see the results ECHO Run Time = %startTime% to %time%
Summing things Up
I hope these examples have been of some use and/or of some interest to you. Please feel free to write me a note in the comments below.
I have written a follow-up article to this article that addresses the issue of non-pingable machines on a network. This article expands on the examples I have described in this post and explains how to increase the accuracy of the machine detection routine.