Wireless Hacks

Hack 26 Quickly Poll Wireless Clients with ping

A quick and dirty method for determining who is on your local subnet.

This is a simple, quick hack, but useful in many circumstances. Suppose you are associated with a wireless network, and are curious about who else is also using the network. You could fire up a network sniffer (like Ethereal [Hack #38] or tcpdump [Hack #37]), or manually scan for associated clients (using nmap [Hack #40]), although that might be construed as antisocial. You're not so much interested in what people are doing, just how many people are online.

It is simple to find clients on your local network using the ubiquitous ping utility. Simply ping the broadcast address of your network, and see who responds.

You can find the broadcast address by running ifconfig like so:

rob@florian:~$ ifconfig eth0
eth0   Link encap:Ethernet HWaddr 00:40:63:C0:AA:4B 
     inet addr:10.15.6.1 Bcast:10.15.6.255 Mask:255.255.255.0
     UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
     RX packets:13425489 errors:0 dropped:33 overruns:0 frame:0
     TX packets:19603221 errors:1118 dropped:0 overruns:0 carrier:0
     collisions:0 txqueuelen:100 
     RX bytes:3073225705 (2930.8 Mb) TX bytes:1301320438 (1241.0 Mb)
     Interrupt:10 Base address:0xe800

There it is, the Bcast address. This is the broadcast address for your local subnet, which every machine is listening to. In Mac OS X and BSD, it is simply listed as the broadcast address:

rob@caligula:~$ ifconfig en1
en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    inet6 fe80::230:65ff:fe03:e78a%en1 prefixlen 64 scopeid 0x5 
    inet 10.15.6.49 netmask 0xffffff00 broadcast 10.15.6.255
    ether 00:30:65:03:e7:8a 
    media: autoselect status: active
    supported media: autoselect

Most (but not all) machines will respond to a ping sent to this address. But simply running ping won't always leave enough time for the clients to respond between echo requests. Run ping with a long wait time (say, 60 seconds) between requests, and be sure to send at least one ping:

rob@florian:~$ ping -c3 -i60 10.15.6.255
PING 10.15.6.255 (10.15.6.255): 56 octets data
64 octets from 10.15.6.1: icmp_seq=0 ttl=255 time=0.3 ms
64 octets from 10.15.6.72: icmp_seq=0 ttl=64 time=0.4 ms (DUP!)
64 octets from 10.15.6.61: icmp_seq=0 ttl=64 time=0.7 ms (DUP!)
64 octets from 10.15.6.65: icmp_seq=0 ttl=64 time=0.9 ms (DUP!)
64 octets from 10.15.6.64: icmp_seq=0 ttl=64 time=1.7 ms (DUP!)
64 octets from 10.15.6.66: icmp_seq=0 ttl=64 time=2.0 ms (DUP!)
64 octets from 10.15.6.69: icmp_seq=0 ttl=64 time=10.9 ms (DUP!)
64 octets from 10.15.6.68: icmp_seq=0 ttl=64 time=38.0 ms (DUP!)
^C
--- 10.15.6.255 ping statistics ---
1 packets transmitted, 1 packets received, +7 duplicates, 0% packet loss
round-trip min/avg/max = 0.3/6.9/38.0 ms

After duplicates (those suffixed with DUP!) stop arriving, feel free to hit Control-C to kill the running ping, or wait 60 seconds for another try. This gives you a quick, rough idea of how many machines are connected to the local subnet.

Note that not all machines answer to broadcast ping requests, and some block ICMP traffic (ping's protocol) altogether. Still, in terms of ease, speed, and ubiquity, you can't beat the results of the broadcast ping.

If you are curious about what kinds of wireless cards people are using, you might try looking up their serial numbers online [Hack #27].