Network scanning dates back to 1983 when Mike Muuss wrote the original ping tool. Ping is an effective network tool that tests whether a host is reachable across an IP network by requesting an Internet Control Message Protocol (ICMP) echo response. This is accomplished by sending an ICMP echo request across the network to the intended target and if the host is reachable and capable of processing ICMP packets it will respond with an ICMP echo response packet. A network scan allows us to paint a picture of the current state of the network by sending certain types of traffic and analyzing the results. Unfortunately, ICMP is a topic for another article but I encourage you to read RFC 792 for more information if you’re interested.

Why don’t we just use ping to scan a network then? The problem with ping is that it sends out an echo request and waits for an echo response. If you are scanning a network segment where you have 255 possible hosts to ping and some of these hosts don’t instantly reply, you could be waiting quite a while. This speed and efficiency issue is resolved with another tool called fping.

The fping network tool works in the same manner as ping by sending out ICMP echo requests and waiting for ICMP echo responses. However, fping doesn’t suffer from spinning or busy waiting like ping. Using fping, ICMP packets can be sent in parallel to multiple hosts which significantly reduces the amount of time needed to test host reachability. If a host does not respond within a certain time limit and/or retry limit it will be considered unreachable and fping will query the next host. If a host does reply, it is removed from the host checklist and the process continues.

To begin using fping we need to install it. I’m going to assume you know how to install packages on your favorite flavor of Linux or BSD platform. You can also download fping from SourceForge. I’ll be using Debian 5.0. Once fping has been installed you can type the following at your console to display fping’s help information:

Scanning a network should not be done without prior permission. Many networks and systems will view a network scan as an aggressive action regardless of how trivial and petty it might be. Please keep this in mind before utilizing this tool.

Let’s start with a very simple scan, our own system:

We are able to ping ourselves. No surprise there. Let’s try scanning a larger chunk of our network using a file for input instead of typing in IP addresses at the command line:

The file “ip_table.txt” just contains the IP addresses from 192.168.1.0 to 192.168.1.10 with each IP address on its own line. In my above command line example I piped in the file. If you are logged into your system as root you can use this command instead:

Now we’ll try a more complex command:

The -d flag will attempt to resolve host names for each IP address while the -a flag will only show alive hosts. Again I piped a list of IP addresses into fping. If you wanted to specify a range of IP addresses at the command line, say all 255 possible hosts of 192.168.1.*, you could use the -g flag like so:

There are quite a few more options capable of being used with fping. I would recommend reading the man page for fping to learn more about this tool.

If you want to quickly scan a network for reachable hosts then fping will easily provide you with that capability. It is a simple tool that can be run while you work on other things should you need to scan a large network (but not as long as ping!). It is also worth learning because fping can be incorporated into your own custom scripts since it’s output is easy to parse. A drawback to using fping is that the perimeter of networks will often block ICMP traffic into the internal network. This is overcome by using nmap which we’ll look at another day. Happy scanning!