Ubuntu – List all MAC addresses and their associated IP addresses in the local network (LAN)


How can I list all MAC addresses and their associated IP addresses of the machines connected to my local network (LAN)?

Best Answer

You can use the Nmap utility for this. Nmap is a free network scanner utility.

Try just:

sudo nmap -sn

Please substitute your network identifier and subnet mask.

How to find a network ID and subnet mask

Use command ip a:

bash~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet scope host lo
    inet6 ::1/128 scope host valid_lft forever preferred_lft forever
2: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether c4:85:08:94:ee:9a brd ff:ff:ff:ff:ff:ff
    inet brd scope global wlan0
    inet6 fe80::c685:8ff:fe94:ee9a/64 scope link valid_lft forever preferred_lft forever

Here at point 2, I have the wlan0 device. It says inet brd scope global wlan0, IP address:, subnet mask: 24. Network ID is, just substitute the last number by 0.

Or as man nmap says:

sudo nmap -sn

Here is a little quote from the man page, nmap(1):

-sn (No port scan)

This option tells Nmap not to do a port scan after host discovery, and only print out the available hosts that responded to the scan. This is often known as a “ping scan”, but you can also request that traceroute and NSE host scripts be run.

This is by default one step more intrusive than the list scan, and can often be used for the same purposes. It allows light reconnaissance of a target network without attracting much attention.

Knowing how many hosts are up is more valuable to attackers than the list provided by list scan of every single IP address and host name.

Systems administrators often find this option valuable as well. It can easily be used to count available machines on a network or monitor server availability. This is often called a ping sweep, and is more reliable than pinging the broadcast address because many hosts do not reply to broadcast queries.

The default host discovery done with -sn consists of an ICMP echo request, TCP SYN to port 443, TCP ACK to port 80, and an ICMP timestamp request by default.

When executed by an unprivileged user, only SYN packets are sent (using a connect call) to ports 80 and 443 on the target.

When a privileged user tries to scan targets on a local ethernet network, ARP requests are used unless --send-ip was specified. The -sn option can be combined with any of the discovery probe types (the -P* options, excluding -Pn) for greater flexibility.

If any of those probe type and port number options are used, the default probes are overridden. When strict firewalls are in place between the source host running Nmap and the target network, using those advanced techniques is recommended. Otherwise hosts could be missed when the firewall drops probes or their responses.

In previous releases of Nmap, -sn was known as -sP.

Related Question