Using nmap to determine which IPs are active on a subnet

Example: router with LAN IP address range

The address discovery is faster if you know which port is open on your targeted device (host). You can also discover the device if open port is unknown.

Unknown open port scan

nmap -sn 192.168.1.* --open

will tell you some of the IP addresses that are active on that subnet.


-sn just scan if active PC available (ping scan)

--open only tell which hosts appear to be up

Many devices will hide themselves from this scan, but it’s the first thing I try for finding a new device that attached to your network, such as an IoT device that isn’t trying to hide itself.

Port known, IP address scan

Port scanning is much faster when the open port is known. Note in some rare cases, there is a firewall schedule or port knocking as additional security that could cause a port scan to fail.

Raspberry Pi port scan

Assume known and that factory image has an SSH server on port 22.

Find the new Raspberry Pi IP address with

nmap -Pn -p 22 192.168.1.* --open


  • -Pn tells nmap to assume each host is up
  • --open only tell which hosts appear to have this port open

non-nmap: scan IP address range with known open port




Leave a Comment