How to Find Available IP Addresses in a Network Using Nmap Scan (with Code Examples)


2 views

When managing network infrastructure, administrators often need to identify unused IP addresses within a subnet. While the nmap -sP (or -sn in newer versions) ping scan shows active hosts, we actually need the inverse information - which IPs aren't responding.

Instead of listing active hosts, we can:

  1. Generate the complete list of IPs in your subnet
  2. Run an nmap scan to identify active hosts
  3. Compare the lists to find available IPs

Here's a Bash script that automates this process:

#!/bin/bash

# Define your network
NETWORK="192.168.1.0/24"

# Generate full IP list
nmap -sL $NETWORK | grep "Nmap scan report" | awk '{print $NF}' > all_ips.txt

# Scan for live hosts
nmap -sn $NETWORK | grep "Nmap scan report" | awk '{print $NF}' > active_ips.txt

# Find available IPs
grep -Fxv -f active_ips.txt all_ips.txt > available_ips.txt

echo "Available IP addresses:"
cat available_ips.txt

For more complex environments, here's a Python approach using python-nmap:

import nmap

nm = nmap.PortScanner()
network = '192.168.1.0/24'

# Perform ping scan
nm.scan(hosts=network, arguments='-sn')

# Get all possible IPs in network
all_ips = [f"192.168.1.{i}" for i in range(1, 255)]
active_ips = nm.all_hosts()

# Find difference
available_ips = set(all_ips) - set(active_ips)

print("Available IP addresses:")
for ip in sorted(available_ips):
    print(ip)

For bigger networks (/16 or larger), consider these optimizations:

  • Use --max-rtt-timeout to reduce scan time
  • Add --min-parallelism to increase speed
  • Exclude known static IPs from the scan

Remember that:

  • Some hosts might block ICMP (ping) requests
  • DHCP leases might show as available but are actually assigned
  • Always verify critical results manually

When administering a network, one common task is identifying which IP addresses are available within a subnet. While nmap -sP 192.168.1.0/24 (or the newer -sn option) effectively shows active hosts, we actually need the inverse information - the unused IPs.

The solution involves scanning for active hosts first, then calculating the available IPs by subtracting these from the full range:

# First, scan and save live hosts to a file
nmap -sn 192.168.1.0/24 -oG live_hosts.txt

# Then extract just the IP addresses
grep "Host:" live_hosts.txt | cut -d " " -f 2 > active_ips.txt

We need to compare against the complete subnet range. Here's a Python snippet to generate all possible IPs in a /24 subnet:

import ipaddress

subnet = ipaddress.ip_network('192.168.1.0/24')
all_ips = [str(ip) for ip in subnet.hosts()]

Now we can find the difference between all possible IPs and active ones:

with open('active_ips.txt') as f:
    active_ips = set(line.strip() for line in f)

available_ips = [ip for ip in all_ips if ip not in active_ips]
print("Available IPs:", available_ips)

For quicker results, you can combine these steps in a bash one-liner:

comm -23 <(nmap -n -sn 192.168.1.0/24 -oG - | awk '/Status: Up/{print $2}' | sort) \
<(nmap -n -sn 192.168.1.0/24 -oG - | awk '/^Host:/{print $2}' | sort)

Remember that some IPs might be reserved (like network gateway) or temporarily unavailable due to DHCP leases. Always verify critical network configurations before assigning new IPs.