Nmap: find free IPs from the range
Using Nmap like this is a fairly accurate way of doing what you asked, provided that some preconditions are true:
- You must run the scan as root (or Administrator on Windows) in order to send ARP requests, not TCP connections. Otherwise the scan may report an address as "down" when it is simply firewalled.
- You can only do this from a system on the same data link (layer 2) as the address range you are scanning. Otherwise, Nmap will need to use network-layer probes which can be blocked by a firewall.
In order to get the "available" addresses, you need to get the list of addresses that Nmap reports as "down." You can do this with a simple awk command:
sudo nmap -v -sn -n 192.168.1.0/24 -oG - | awk '/Status: Down/{print $2}'
Summary of Nmap options used:
- When you use the
-voption, Nmap will print the addresses it finds as "down" in addition to the ones that are "up". - Instead of
-sP, I've substituted the newer spelling-sn, which still accomplishes the same scan, but means "skip the port scan" instead of the misleading "Ping scan" (since the host discovery phase does not necessarily mean an ICMP Echo scan or Ping). - The
-noption skips reverse DNS lookups, which buys you a bit of time, since you aren't interested in names but just IP addresses. - The
-oGoption tells Nmap to output grepable format, which is easier for awk to process. The argument "-" tells it to send this output to stdout.
The awk command then searches for "Status: Down" and prints the second field, containing the IP address.
Of course, if you have access to the switch's running configs or the DHCP server's leases, you could get this answer much more authoritatively without doing a scan that could set off security alarms.