> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Ping Sweep

> Host discovery techniques: ICMP ping sweep, ARP scan, TCP/UDP discovery, and stealth alternatives.

## ICMP Ping Sweep

### Nmap

```bash theme={"dark"}
nmap -sn 10.10.10.0/24
```

Specific range:

```bash theme={"dark"}
nmap -sn 10.10.10.1-50
```

Disable DNS resolution (faster):

```bash theme={"dark"}
nmap -sn -n 10.10.10.0/24
```

Output alive hosts only:

```bash theme={"dark"}
nmap -sn 10.10.10.0/24 -oG - | grep "Up" | awk '{print $2}'
```

***

### fping

```bash theme={"dark"}
fping -a -g 10.10.10.0/24 2>/dev/null
```

| Flag | Description                    |
| ---- | ------------------------------ |
| `-a` | Show alive hosts only          |
| `-g` | Generate target list from CIDR |

***

### Bash One-liner (No Tools)

```bash theme={"dark"}
for i in $(seq 1 254); do (ping -c 1 -W 1 10.10.10.$i | grep "bytes from" &); done
```

### CMD One-liner

```cmd theme={"dark"}
for /L %i in (1,1,254) do @ping -n 1 -w 200 10.10.10.%i | find "Reply" && echo 10.10.10.%i is alive
```

### PowerShell

```powershell theme={"dark"}
1..254 | % { if (Test-Connection -Count 1 -Quiet -ComputerName "10.10.10.$_" -ErrorAction SilentlyContinue) { "10.10.10.$_" } }
```

Faster (parallel):

```powershell theme={"dark"}
1..254 | ForEach-Object -Parallel {
    if (Test-Connection -Count 1 -Quiet -ComputerName "10.10.10.$_" -ErrorAction SilentlyContinue) {
        "10.10.10.$_"
    }
} -ThrottleLimit 50
```

***

## ARP Scan (Local Network)

More reliable than ICMP — can't be blocked by firewall.

### arp-scan

```bash theme={"dark"}
arp-scan -l
```

Specific interface:

```bash theme={"dark"}
arp-scan -l -I eth0
```

Specific range:

```bash theme={"dark"}
arp-scan 10.10.10.0/24
```

### Nmap ARP

```bash theme={"dark"}
nmap -sn -PR 10.10.10.0/24
```

***

## TCP Discovery (ICMP Blocked)

When ICMP is blocked, use TCP to find live hosts.

### TCP SYN on common ports

```bash theme={"dark"}
nmap -sn -PS22,80,443,445,3389 10.10.10.0/24
```

### TCP ACK

```bash theme={"dark"}
nmap -sn -PA80,443 10.10.10.0/24
```

***

## UDP Discovery

```bash theme={"dark"}
nmap -sn -PU53,161 10.10.10.0/24
```

***

## Netdiscover (Passive + Active)

### Active

```bash theme={"dark"}
netdiscover -r 10.10.10.0/24
```

### Passive (Stealth)

```bash theme={"dark"}
netdiscover -p -i eth0
```

***

## Quick Decision

```
Same subnet?
├─ Yes → arp-scan -l (fastest, can't be blocked)
└─ No
   ├─ ICMP allowed? → nmap -sn (standard ping sweep)
   └─ ICMP blocked? → nmap -sn -PS22,80,443 (TCP discovery)
```
