SecurityTrails Blog · LAST UPDATED ON Oct 29 2021 · by Esteban Borges

Most Popular IP Scanner Tools for Network Mapping

Reading time: 12 minutes

IP scanning, or IP mapping, is one of the oldest and most traditional tasks performed by people in all types of IT roles, from system administrators and network engineers to security researchers. When you're working with a company with a large number of connected networks, managing all that IP address allocation could be somewhat tricky.

That's why having a clear map of your IP address space enables you to identify your network parts quickly, and at the same time helps you manage the whole network in a more efficient way.

For security researchers, it's the starting point of identifying potential vulnerable sub-networks and IP addresses, for performing deep reconnaissance tasks such as OS and service scanning, vulnerability scanning, and more.

That's why today we'll show you the top 10 IP scanner tools for better network management and IP address discovery-mapping.

Easily perform full IP discovery and mapping Reveal the entire attack surface area of your company, including its IP address space

Best IP Scanner Tools

Let's take a look at the top IP scanner tools used by system administrators, network engineers and penetration testers.

1. Nmap IP Scanner

We can't put any other tool in the number 1 spot. Nmap has been and will probably remain our favorite hacking tool for infosec research tasks, and that includes IP scanning as well.

We've written about Nmap before, back when we explored the best port scanners and showed how easy it is to scan any host when you're seeking critical information such as open ports, OS version, and other pertinent details.

What many people don't realize is that Nmap is the perfect tool for a network IP audit. So let's use some Nmap commands and begin the process of discovering all the servers behind the network.

Here, we're going to skip all port scans, using an option called "skip port scan":

nmap -sP

This is the expected output:

[root@research ~]# nmap -sP
Starting Nmap 7.70 ( ) at 2019-08-19 14:18 -03
Nmap scan report for (
Host is up (0.0070s latency).
MAC Address: 8C:E1:17:D9:75:04 (zte)
Nmap scan report for brw707781769aef (
Host is up (0.11s latency).
MAC Address: 70:77:81:76:9A:EF (Hon Hai Precision Ind.)
Nmap scan report for (
Host is up (0.17s latency).
MAC Address: 02:0F:B5:22:90:9C (Unknown)
Nmap scan report for (
Host is up (0.081s latency).
MAC Address: 02:0F:B5:1C:48:C6 (Unknown)
Nmap scan report for research (
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 8.50 seconds
[root@research ~]#

As you can see, no port scanning has taken place—instead we used Nmap to ping hosts and get a response from each one of them. This type of IP scanner feature is also called "ping sweep" or "ping scan".

Performing this same scan on an Internet-connected server can yield a lot of interesting results.

[[email protected]:~]nmap -sP
Starting Nmap 6.40 ( ) at 2019-08-19 13:24 EDT
Nmap scan report for (
Host is up (0.00083s latency).
Nmap scan report for (
Host is up (0.00034s latency).
Nmap scan report for (
Host is up (0.00026s latency).
Nmap done: 256 IP addresses (48 hosts up) scanned in 10.28 seconds
[[email protected]:~]

Nmap can be installed in CentOS/RHEL and other Red Hat-based distros by using:

yum install nmap

If you're using Ubuntu/Debian, then this should do the trick:

apt-get install nmap

If you wanna learn more about Nmap, start exploring our Nmap Cheat Sheet to find plenty of examples and other Nmap techniques.

2. ARP Scan

The ARP Scan Tool is another great resource for creating a full IP address map of any network. Arp-scan is quite useful for discovering all hosts within a specific network, even those that are protected behind firewalls.

Installing this tool in Red Hat-based systems merely requires you to run:

yum install arp-scan

Same for Debian/Ubuntu-based distros:

apt-get install arp-scan

To perform an IP scan with this IP scanner tool, you'll need to run the following command:


This is the expected output:

[[email protected] ~]# arp-scan
Interface: wlp2s0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9.5 with 256 hosts ( 8c:e1:17:d9:75:04 (Unknown) 70:77:81:76:9a:ef Hon Hai Precision Ind. Co.,Ltd. f4:f5:d8:4e:26:8c Google, Inc. 02:0f:b5:95:4e:20 (Unknown)
4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.5: 256 hosts scanned in 1.890 seconds (135.45 hosts/sec). 4 responded
[[email protected] ~]#

If you're working with a wireless network, you can also specify the type of network to scan by using:

arp-scan --interface=wlan0

This will let arp-scan scan the interface wlan0; you can replace that with your real interface name. Here's a quick example:

[[email protected] ~]# arp-scan -interface=wlp2s0 -localnet
Interface: wlp2s0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9.5 with 256 hosts ( 8c:e1:17:d9:75:04 (Unknown) 70:77:81:76:9a:ef Hon Hai Precision Ind. Co.,Ltd. f4:f5:d8:4e:26:8c Google, Inc. 02:0f:b5:95:4e:20 (Unknown) 02:0f:b5:22:90:9c (Unknown)
5 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.5: 256 hosts scanned in 1.902 seconds (134.60 hosts/sec). 5 responded
[[email protected] ~]#

3. Angry IP Scanner

Angry IP Scanner is one of the most popular IP address scanner tools available. It isn't command line-based, but GUI-based instead, letting you scan your network from a fancy visual interface. You'll be able to scan IP addresses to detect live hosts, and at the same time gather critical information about each one of them.

The only requirement to make it work in Linux is having Java installed, which is easy in most distributions.

Installation on Linux can be performed easily by using pre-compiled packages on most distributions. To install this tool, simply install Java and the RPM or Deb package, as follows:


yum install jre -y
rpm -i ipscan-3.6.0-1.x86_64.rpm


apt-get install gdebi
gdebi ipscan_3.6.0_i386.deb

Once you've launch it from your desktop, you'll see an easy-to-use interface that will allow you to scan IP ranges quickly, as shown here:.

Angry IP Scanner

4. Advanced IP Scanner

Advanced IP Scanner lets you scan your LAN and Wi-Fi network and give you real time information about all the connected devices. Apart from finding live hosts, it will also provide port scanning information, letting you build a complete IP address map of your entire network infrastructure.

Advanced IP Scanner features include:

  • Easy-to-use interface
  • Mac address detection
  • Fast network scanning speed
  • Can be run over remote desktop
  • Exports results into CSV format
  • Multi-platform support (Windows, Mac OSX and Linux)

Scanning an IP range is pretty easy: just launch the program, specify the range you want to scan and hit the Scan button. It will show you how many live hosts are found, as well as IP address, device description and assigned Mac address, as you see below:

Advanced IP Scanner

5. ARP command

Arp command is one of the most useful networking commands every network engineer, sysadmin and pentester should know about. Surprisingly, not all professionals are aware of this simple yet powerful command.

That's why it's nabbed the fifth spot in our list of the top IP scanner tools. ARP stands for Address Resolution Protocol, and is used to display or modify the kernel IPv4 network neighbor cache.

How does it work? Simple, just pass -a option to display the full list of all known IP addresses found in your local network. You'll also be able to detect the exact ethernet device associated with all the IP addresses.

ARP Command

This test was run in a real cloud server and it's super easy to find the IP neighbors from your own network. Here, a little blur-effect has been applied to hide the real hosts and IPs, but this is pretty enough to show you the hidden power behind the arp command as IP scanner tool.

6. Hping

Hping is another great alternative to the classic ping command. While some might consider it outdated, it’s still widely supported on most Linux, macOS, and Windows operating systems and remains an interesting network IP scanner tool, since its approach is quite different from that of the classic ping command. Instead of merely using ICMP echo requests, it also sends RAW-IP, UDP, and TCP packets, making network investigation a bit more solid with the many different techniques you can use against your target. And apart from its network reconnaissance features, you can use it to test firewall rules, scan for open ports, and even send files over the network.

Installing hping on CentOS/RHEL based distros:

dnf install hping3 -y

For Debian/Ubuntu-based distros run:

apt-get install hping3

In order to use hping as an IP mapping tool, we will scan a range of IP addresses. For this, you must use the "x" character, as you see below:

hping3 -1 192.168.1.x --rand-dest -I eth0

7. Fping

Fping is a popular IP scanner tool, but for more than "scanning," this IP mapping tool was created to improve the old-fashioned ping command (although it's somehow different). Fping utilizes ICMP echo requests to check if a remote host is live or not. Unlike the classic ping command, fping can be run against a large number of hosts and IP ranges. And that's why so many system administrators and network engineers have chosen it as the perfect tool to quickly check how many hosts are live within a specified network.

You can pass several IP addresses or ranges, or make fping parse a text file and launch the ICMP echo request against each one of the listed IP addresses, or IP-range, as well as subnets.

Installation of fping on CentOS/RHEL distros:

yum install fping -y

For Debian/Ubuntu-based distros simply run:

apt-get install fping

How can you use it? Easy, just type:

fping -s -g

That's against an entire IP range; you can also specify a single IP instead.

At the end, it will display several useful stats about the results:

251 targets
6 alive
245 unreachable
0 unknown addresses
245 timeouts (waiting for response)
987 ICMP Echos sent
6 ICMP Echo Replies received
980 other ICMP received
0.10 ms (min round trip time)
80.4 ms (avg round trip time)
185 ms (max round trip time)
11.730 sec (elapsed real time)
[[email protected] ~]#

8. SecurityTrails IP Scanner

Classic command line tools are great, as well as others that include visual interfaces, but they often come with disadvantages when you're using them to scan remote networks. There's actually a better way to do it, without the risk of getting blocked by firewalls or IDS.

Our SecurityTrails products involve IP exploration as the #1 basic feature, when you need to know the IP address of any domain name, when analyzing the open ports of an IP address, or when you need to get the associated domains or IP neighbors of any IP address.

That's why it's easy for us to show you all the information you need for a specific IP address. Let's take a look:

SecurityTrails IP Scanner

You can also explore IP neighbors by clicking the 'IP Neighbors to' button. This option will display all the IP neighbors for the specified IP address, as shown in this screenshot:

SecurityTrails IP Scanner IP Neighbors

Our free app and manual IP lookups will help you get IP scan results in seconds; however, when you need to automate the entire process, you'll need the power of our SecurityTrails API.

Performing an IP scan with the SecurityTrails API

If you're a developer or you're working with a team of developers in your organization, you can take advantage of our IP scanning features and integrate this into your own applications.

For this goal, we offer the X endpoint, which will allow you to retrieve IP information within seconds by querying our intelligent API. This can be done with a simple request against our HTTP-based query system, using any client—such as curl, for example:

curl --request GET \
--url ''

Just replace "your_api_key" with your real API key.

You can also integrate this with many popular programming languages like Python, Javascript, NodeJS, Go, PHP, etc. Here's an example with Python:

import requests
url = ""
querystring = {"apikey":"your_api_key"}
response = requests.request("GET", url, params=querystring)

SurfaceBrowser Total IP Blocks

If you want to take another step forward with access to the full IP blocks of any company, SurfaceBrowser™ is the perfect tool for your IP scanner tasks.

Let's see how you can get the full IP address space of any organization within seconds.

[video /]

As shown, you'll get the total IP blocks for in a single place. This includes a few summaries that reveal information ordered by the regional registrar.

In this case, the RR includes records from: ARIN (105), AT&T Bell Laboratories (50), RIPE NCC (35), PSINet (25), APNIC (18), AFRINIC (2).

You'll also be able to get the full IP stats by IP subnet size, as well as the full information for each IP block, including IP count, unique user agents, RIR, hostnames and number of associated domains.

SurfaceBrowser Total IP Blocks

Once you've finished locating all the IP blocks you need, you can explore any of the blocks by clicking the IP and its subnet, where you'll find details such as IP count, bitmask, base IP, broadcast IP, mask, host mask, service provider like ASN, organization and company behind this network.

SurfaceBrowser Total IP Blocks Explore


Clearly, there are a lot of IP scanner tools from which you can choose. Managing a large IP space can be quite complex if you're not relying on any of them.

If you're part of the infosec community, an IP scanner toolkit could be your best asset for automating your OSINT and intel-reconnaissance tasks.

Take safety and security to the next level: automate all your IP address exploration by using our powerful API. Sign up today for a free API account or book a demo with our sales team to test SurfaceBrowser™, our enterprise-grade product that will reveal the entire attack surface area of your company, including all of its IP address space.

Esteban Borges Blog Author

Esteban is a seasoned cybersecurity specialist, and marketing manager with nearly 20 years of experience. Since joining SecurityTrails in 2017 he’s been our go-to for technical server security and source intelligence info.

Subscribe to the SecurityTrails newsletter
Sign up for our newsletter today!

Get the best cybersec research, news, tools,
and interviews with industry leaders