How to Find Unused IP Addresses on a Linux Network Using Nmap and ARP Scanning

When working with static IP configurations in a /25 network (netmask 255.255.255.128), identifying available IP addresses becomes crucial before assigning additional addresses to a host. The discrepancy in your nmap results between hosts A and B suggests potential networking or firewall issues affecting discovery.

Your initial attempt with nmap -sP -PR 172.16.128.* reveals several important technical considerations:

# The -sP flag (ping scan) is deprecated in newer nmap versions
# The -PR flag enables ARP ping for local networks
# The wildcard (*) syntax might behave differently across systems

For RHEL 6.5 with nmap 5.51, these alternative approaches often yield better results:

Method 1: Comprehensive ARP Scan

sudo nmap -sn -PR 172.16.128.0/25

This performs an ARP-level discovery of all hosts in the /25 subnet, bypassing potential ICMP restrictions.

Method 2: Sequential Ping Test

for ip in $(seq 1 126); do 
  ping -c 1 172.16.128.$ip | grep "bytes from" & 
done

The ampersand (&) runs pings in parallel for faster scanning.

Method 3: ARP Cache Examination

arp -an | grep -v incomplete
ip neighbor show

The differences between hosts A and B likely stem from:

Firewall rules blocking ARP or ICMP
Network interface promiscuous mode settings
VLAN configuration differences
Physical layer connectivity issues

To validate your findings:

# Cross-check with tcpdump
sudo tcpdump -i eth0 arp or icmp

# Test connectivity with nc
nc -zv 172.16.128.55 22

For ongoing network management, consider implementing:

# Simple IP tracker script
#!/bin/bash
NETWORK="172.16.128.0"
MASK=25
DATE=$(date +%Y%m%d)
LOGFILE="/var/log/ip_tracker_$DATE.log"

nmap -sn -PR $NETWORK/$MASK | grep "Nmap scan report" > $LOGFILE

When nmap proves unreliable:

arp-scan --localnet
netdiscover -r 172.16.128.0/25
fping -g 172.16.128.1 172.16.128.126

When managing a network with static IP assignments (e.g., subnet mask 255.255.255.128), identifying unused IPs is critical for avoiding conflicts. The inconsistency in nmap -sP -PR results across machines (e.g., one showing 8 hosts, another showing 0) suggests ARP caching or permission issues.

The discrepancy arises because:

Machine A: Likely has ARP cache populated from recent traffic, making scanned hosts visible.
Machine B: May lack ARP entries due to firewall rules (iptables), network isolation, or incorrect Nmap syntax.

1. ARP Scanning with Nmap (Root Required)

sudo nmap -sn -PR 172.16.128.0/25

Flags explained:

-sn: Skip port scanning (ping-only).
-PR: Force ARP discovery (bypasses ICMP blocks).
/25: Matches the /25 subnet (255.255.255.128).

2. Cross-Verification with ARP Command

arp -an | grep -v incomplete

This lists all ARP-resolved IPs in the local cache.

3. Ping Sweep Alternative

for ip in $(seq 1 126); do ping -c 1 172.16.128.$ip | grep "bytes from"; done

Note: ICMP may be blocked on some hosts.

If Nmap shows 0 hosts:

Verify subnet range: ip addr show to confirm your interface’s subnet.
Check firewall: sudo iptables -L for dropped ARP/ICMP.
Test with broadcast ping: ping -b 172.16.128.255 (may trigger ARP updates).

Nmap scan report for 172.16.128.10
Host is up (0.00052s latency).
MAC Address: 00:1A:2B:XX:XX:XX (VendorName)

Unused IPs will lack such entries. Compile a list of absent IPs from the full subnet range.

Bash script to compare Nmap results with subnet range:

#!/bin/bash
SUBNET="172.16.128"
USED_IPS=$(sudo nmap -sn -PR $SUBNET.0/25 | grep "report for" | cut -d" " -f5)
for i in {1..126}; do
  if ! echo "$USED_IPS" | grep -q "$SUBNET.$i"; then
    echo "$SUBNET.$i is unused"
  fi
done