Hack 26 Quickly Poll Wireless Clients with ping

A quick and dirty method for determining who is on your local subnet.

This is a simple, quick hack, but useful in many circumstances. Suppose you are associated with a wireless network, and are curious about who else is also using the network. You could fire up a network sniffer (like Ethereal [Hack #38] or tcpdump [Hack #37]), or manually scan for associated clients (using nmap [Hack #40]), although that might be construed as antisocial. You're not so much interested in what people are doing, just how many people are online.

It is simple to find clients on your local network using the ubiquitous ping utility. Simply ping the broadcast address of your network, and see who responds.

You can find the broadcast address by running ifconfig like so:

rob@florian:~$ ifconfig eth0 eth0   Link encap:Ethernet HWaddr 00:40:63:C0:AA:4B       inet addr:10.15.6.1 Bcast:10.15.6.255 Mask:255.255.255.0      UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1      RX packets:13425489 errors:0 dropped:33 overruns:0 frame:0      TX packets:19603221 errors:1118 dropped:0 overruns:0 carrier:0      collisions:0 txqueuelen:100       RX bytes:3073225705 (2930.8 Mb) TX bytes:1301320438 (1241.0 Mb)      Interrupt:10 Base address:0xe800

There it is, the Bcast address. This is the broadcast address for your local subnet, which every machine is listening to. In Mac OS X and BSD, it is simply listed as the broadcast address:

rob@caligula:~$ ifconfig en1 en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500     inet6 fe80::230:65ff:fe03:e78a%en1 prefixlen 64 scopeid 0x5      inet 10.15.6.49 netmask 0xffffff00 broadcast 10.15.6.255     ether 00:30:65:03:e7:8a      media: autoselect status: active     supported media: autoselect

Most (but not all) machines will respond to a ping sent to this address. But simply running ping won't always leave enough time for the clients to respond between echo requests. Run ping with a long wait time (say, 60 seconds) between requests, and be sure to send at least one ping:

rob@florian:~$ ping -c3 -i60 10.15.6.255 PING 10.15.6.255 (10.15.6.255): 56 octets data 64 octets from 10.15.6.1: icmp_seq=0 ttl=255 time=0.3 ms 64 octets from 10.15.6.72: icmp_seq=0 ttl=64 time=0.4 ms (DUP!) 64 octets from 10.15.6.61: icmp_seq=0 ttl=64 time=0.7 ms (DUP!) 64 octets from 10.15.6.65: icmp_seq=0 ttl=64 time=0.9 ms (DUP!) 64 octets from 10.15.6.64: icmp_seq=0 ttl=64 time=1.7 ms (DUP!) 64 octets from 10.15.6.66: icmp_seq=0 ttl=64 time=2.0 ms (DUP!) 64 octets from 10.15.6.69: icmp_seq=0 ttl=64 time=10.9 ms (DUP!) 64 octets from 10.15.6.68: icmp_seq=0 ttl=64 time=38.0 ms (DUP!) ^C --- 10.15.6.255 ping statistics --- 1 packets transmitted, 1 packets received, +7 duplicates, 0% packet loss round-trip min/avg/max = 0.3/6.9/38.0 ms

After duplicates (those suffixed with DUP!) stop arriving, feel free to hit Control-C to kill the running ping, or wait 60 seconds for another try. This gives you a quick, rough idea of how many machines are connected to the local subnet.

Note that not all machines answer to broadcast ping requests, and some block ICMP traffic (ping's protocol) altogether. Still, in terms of ease, speed, and ubiquity, you can't beat the results of the broadcast ping.

If you are curious about what kinds of wireless cards people are using, you might try looking up their serial numbers online [Hack #27].