How to Get a List of All Valid IP Addresses in a Local Network?

Finding all active IP addresses on your local network is useful for network administration, troubleshooting connectivity issues, identifying unauthorized devices, or simply seeing what's connected to your network. Whether you're managing a home network or an enterprise environment, several tools can help you discover active hosts.

This guide covers different methods to scan your local network and identify which IP addresses are in use.

TLDR

Use nmap -sn 192.168.1.0/24 to scan your local network and find active hosts. For faster ARP-based scanning, use sudo arp-scan --localnet. On Windows, combine arp -a with ping sweeps. These tools discover devices by sending network packets and analyzing responses.

Prerequisites

You need basic networking knowledge (understanding IP addresses, subnets, and CIDR notation). Access to your local network and permission to scan it is required. Some tools need administrator or root privileges.

Understanding Your Network Range

Before scanning, identify your network range. Your local network typically uses private IP address ranges:

192.168.0.0/16    (192.168.0.0 - 192.168.255.255)
172.16.0.0/12     (172.16.0.0 - 172.31.255.255)
10.0.0.0/8        (10.0.0.0 - 10.255.255.255)

Most home networks use 192.168.1.0/24 (192.168.1.1 - 192.168.1.254) or similar.

Find your network range:

# Linux/macOS
ip addr show
# or
ifconfig

# Windows
ipconfig

Look for your IP address and subnet mask:

inet 192.168.1.100/24

The /24 means the first 24 bits are the network portion, giving you 256 possible addresses (192.168.1.0 through 192.168.1.255).

Using nmap for Network Discovery

Nmap is the most versatile network scanning tool available. It's powerful, fast, and provides detailed information about discovered hosts.

Basic Host Discovery

Scan your entire subnet to find active hosts:

# Ping scan (no port scan)
nmap -sn 192.168.1.0/24

The -sn flag (formerly -sP) does a ping scan without port scanning, making it faster and less intrusive.

Example output:

Starting Nmap 7.92
Nmap scan report for router.local (192.168.1.1)
Host is up (0.0023s latency).

Nmap scan report for laptop.local (192.168.1.45)
Host is up (0.012s latency).

Nmap scan report for phone.local (192.168.1.87)
Host is up (0.034s latency).

Nmap scan report for printer.local (192.168.1.120)
Host is up (0.056s latency).

Nmap done: 256 IP addresses (4 hosts up) scanned in 2.45 seconds

Getting Clean IP List

Extract just the IP addresses:

nmap -sn 192.168.1.0/24 | grep "Nmap scan report" | awk '{print $5}'

Output:

192.168.1.1
192.168.1.45
192.168.1.87
192.168.1.120

Including MAC Addresses

Run with sudo to get MAC addresses:

sudo nmap -sn 192.168.1.0/24

Output includes hardware info:

Nmap scan report for 192.168.1.45
Host is up (0.012s latency).
MAC Address: 00:1A:2B:3C:4D:5E (Apple)

Faster Scanning

Speed up scans by adjusting timing:

# Aggressive timing (faster but more detectable)
nmap -sn -T4 192.168.1.0/24

# Insane timing (very fast, may miss hosts)
nmap -sn -T5 192.168.1.0/24

Using arp-scan for Fast Local Discovery

Arp-scan is faster than nmap for local network discovery because it uses ARP requests, which work at layer 2 and don't require IP routing.

Install arp-scan

# Debian/Ubuntu
sudo apt-get install arp-scan

# Red Hat/CentOS
sudo yum install arp-scan

# macOS
brew install arp-scan

Scan Your Local Network

# Scan all local networks
sudo arp-scan --localnet

# Or specify interface
sudo arp-scan --interface=eth0 --localnet

Output:

Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9 with 256 hosts
192.168.1.1     00:11:22:33:44:55       TP-LINK TECHNOLOGIES CO.,LTD.
192.168.1.45    00:1A:2B:3C:4D:5E       Apple, Inc.
192.168.1.87    AA:BB:CC:DD:EE:FF       Samsung Electronics Co.,Ltd
192.168.1.120   11:22:33:44:55:66       Hewlett Packard

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9: 256 hosts scanned in 1.92 seconds

Arp-scan is typically faster than nmap for local networks because ARP operates at the data link layer.

Scan Specific Range

# Scan a specific range
sudo arp-scan 192.168.1.1-192.168.1.100

# Or use CIDR notation
sudo arp-scan 192.168.1.0/24

Using Native OS Commands

Linux: arp and ping

Combine ping and arp to discover hosts:

# Ping sweep the network
for ip in 192.168.1.{1..254}; do
    ping -c 1 -W 1 $ip > /dev/null 2>&1 && echo "$ip is up"
done

This pings each address once with a 1-second timeout, then reports which responded.

After pinging, check the ARP cache:

arp -a

Output:

? (192.168.1.1) at 00:11:22:33:44:55 [ether] on eth0
? (192.168.1.45) at 00:1a:2b:3c:4d:5e [ether] on eth0
? (192.168.1.87) at aa:bb:cc:dd:ee:ff [ether] on eth0

macOS: arp-scan or nmap

macOS includes arp but doesn't have arp-scan by default:

# Install via Homebrew
brew install arp-scan nmap

# Then use arp-scan
sudo arp-scan --localnet

Or use the native arp -a after a ping sweep:

for ip in 192.168.1.{1..254}; do
    ping -c 1 -t 1 $ip > /dev/null 2>&1
done

arp -a

Windows: PowerShell Network Scan

Use PowerShell to scan your network:

# Get your network range
$network = "192.168.1"

# Ping sweep
1..254 | ForEach-Object {
    $ip = "$network.$_"
    $ping = Test-Connection -ComputerName $ip -Count 1 -Quiet -TimeoutSeconds 1
    if ($ping) {
        Write-Host "$ip is online"
    }
}

Check ARP cache after scanning:

arp -a

More elegant PowerShell version with parallel execution:

$network = "192.168.1"
$range = 1..254

$range | ForEach-Object -Parallel {
    $ip = "$using:network.$_"
    if (Test-Connection -ComputerName $ip -Count 1 -Quiet -TimeoutSeconds 1) {
        $ip
    }
} -ThrottleLimit 50

Using fping for Efficient Ping Sweeps

Fping sends pings in parallel, making it much faster than sequential ping:

# Install fping
sudo apt-get install fping  # Debian/Ubuntu
brew install fping          # macOS

# Scan network
fping -a -g 192.168.1.0/24 2>/dev/null

The -a flag shows only alive hosts, -g generates a target list from the CIDR range.

Output:

192.168.1.1
192.168.1.45
192.168.1.87
192.168.1.120

Python Script for Network Scanning

Create a simple network scanner in Python:

#!/usr/bin/env python3
import subprocess
import ipaddress
from concurrent.futures import ThreadPoolExecutor

def ping_host(ip):
    """Ping a single host and return IP if alive"""
    try:
        # Use -c 1 for one ping, -W 1 for 1 second timeout
        result = subprocess.run(
            ['ping', '-c', '1', '-W', '1', str(ip)],
            stdout=subprocess.DEVNULL,
            stderr=subprocess.DEVNULL
        )
        if result.returncode == 0:
            return str(ip)
    except Exception:
        pass
    return None

def scan_network(network):
    """Scan a network range for active hosts"""
    net = ipaddress.ip_network(network, strict=False)
    alive_hosts = []

    # Use thread pool for parallel pinging
    with ThreadPoolExecutor(max_workers=50) as executor:
        results = executor.map(ping_host, net.hosts())

    alive_hosts = [ip for ip in results if ip]
    return alive_hosts

if __name__ == '__main__':
    network = '192.168.1.0/24'
    print(f"Scanning {network}...")

    hosts = scan_network(network)

    print(f"\nFound {len(hosts)} active hosts:")
    for host in hosts:
        print(f"  {host}")

Save as network_scan.py and run:

python3 network_scan.py

Identifying Devices by MAC Address

Once you have IP and MAC addresses, identify manufacturers:

# nmap includes MAC vendor lookup
sudo nmap -sn 192.168.1.0/24 | grep "MAC Address"

Or query online MAC address databases:

# Using macvendors.com API
MAC="00:1A:2B:3C:4D:5E"
curl -s "https://api.macvendors.com/$MAC"

Output: Apple, Inc.

Security and Ethical Considerations

Only scan networks you own or have permission to scan. Unauthorized network scanning can be illegal and may violate terms of service for some networks.

Notify your security team: In corporate environments, inform your security team before scanning. Automated security systems may flag scanning activity as potential attacks.

Use appropriate timing: Aggressive scans can impact network performance. Use gentler timing options during business hours.

Respect privacy: Just because you can see a device doesn't mean you should try to access it without authorization.

Saving and Comparing Results

Save scan results to track network changes:

# Save to file with timestamp
nmap -sn 192.168.1.0/24 | grep "Nmap scan report" > scan_$(date +%Y%m%d).txt

# Compare with previous scan
diff scan_20250709.txt scan_20250710.txt

This helps identify new or missing devices on your network.

Troubleshooting Common Issues

No hosts found

Check if you're scanning the correct network range:

# Verify your IP and subnet
ip addr show

Make sure firewalls aren't blocking your scan:

# Temporarily disable firewall (be careful!)
sudo ufw disable  # Ubuntu
sudo systemctl stop firewalld  # CentOS/RHEL

Permission denied

Many scanning tools require root/admin privileges:

# Use sudo
sudo nmap -sn 192.168.1.0/24
sudo arp-scan --localnet

Slow scans

Reduce the scope or use faster tools:

# Scan smaller range
nmap -sn 192.168.1.1-50

# Use arp-scan instead (faster for local networks)
sudo arp-scan --localnet

Discovering active IP addresses on your local network is straightforward with the right tools. Nmap provides detailed, flexible scanning capabilities, while arp-scan offers speed for local networks. Choose the tool that fits your needs, always scan responsibly, and remember that network visibility is the first step toward effective network management and security.