I’ve often seen discussions of ‘how to find devices in the network using pings’. A ping sweep is easiest, but some people claim that a simple ping to the subnet broadcast address will make all devices respond. I decided to test this out for myself and see what happened.

I created a subnet with as many different devices as I could get my hand on at the time. The devices were the following:
– Windows 7 physical machine
– Windows XP physical machine
– Windows Server 2008 R2 virtual machine
– Fedora 15 virtual machine
– Vyatta 6.1 virtual machine
– Cisco 2611 router
– Cisco VG200 Voice Gateway
– Two Cisco 3560 Layer 3 switches
– A Linksys router with DD-WRT firmware
– The ISP-provided gateway: a Motorola with NAT
– Cisco 7912 IP Phone
– And finally, one iPod, for a total of 12 devices having an IP address.

I ran Wireshark on the physical machines (Windows 7 and Windows XP) from which I was going to originate the pings. I also did pings from some of the Cisco devices. Contrary to Windows, IOS will list all replies received when sending to a broadcast address. All devices received an IP address in the 192.168.0.0/24 range, the pings were done to 192.168.0.255.

I did several tests and also changed IP addresses several times between tests to ensure ARPs were sent around the network, which made it easier to follow the captures on Wireshark. The results showed a clear separation between network devices and end devices: the Cisco gear (with the exception of the IP Phone) would respond to broadcast pings, as well as the DD-WRT. All other devices wouldn’t respond to broadcast pings. The Vyatta and the ISP gateway are also network devices, but I have no control over the gateway, and the Vyatta is actually nothing more than a stripped-down Linux and thus may react as an end device in this regard. To be sure I didn’t make a mistake, I did unicast pings after this to the addresses that didn’t respond, and they all reacted fine. No firewall issues here.

There’s still a difference between a ping sweep and a broadcast ping, even if just done towards network devices: a ping sweep will trigger ARP requests for each address, to which devices will respond if they have the address, whether ICMP pings are blocked or not. So after a ping sweep, just doing ‘arp -a’ in the Windows command line reveals all managed network devices.

That answers one question, but what about IPv6? Are things different there? A ping sweep is nearly impossible. A common /64 subnet is 1.8×10^19 addresses, with EUI-64 (see a perfect explanation about EUI-64 on Packetlife.net) you can exclude some addresses, leaving ‘just’ 2.8×10^14 possible combinations. Multicast pings would be the only feasible option to scan a subnet. Note that I say multicast, as IPv6 has no concept of broadcast. Since most of my devices do not have IPv6 support for the moment (I’m planning on upgrading them in the future), I’m left with the Vyatta, Windows 7, Windows Server, and Fedora for this test. But the test results are similar to IPv4: a ping to FF02::1 (‘all nodes’ multicast) does not give a single reply, but a ping to FF02::2 (‘all routers’ multicast) gives a reply from the Vyatta, which is indeed configured for IPv6 routing. So with limited testing I can conclude for now that it’s also just network devices that respond to ping in IPv6.

To return to the original claim that a broadcast ping will reveal all devices in a given subnet: the conclusion is that this only goes for network devices, and not for end devices. It’s probably not an effective way to quickly map a subnet in everyday life.

Advertisements