IP Scan

IP Scan

Version Info

RouterOS 7.16 | Min: v6.0+ | ⏱️ 15 minutes | 🟢 Beginner

Tested on: 7.16 7.14 6.49

TL;DR (Quick Start)

Scan your local network:

/tool ip-scan address-range=192.168.88.0/24

Listen for devices on an interface:

/tool ip-scan interface=bridge1

Scan with time limit:

/tool ip-scan address-range=192.168.88.0/24 duration=30s

Press q or Ctrl+C to stop the scan.

Overview

The IP Scan tool discovers devices on your network by actively probing an IP address range or passively listening to traffic on an interface. It collects device information including IP addresses, MAC addresses, response times, and identification data from DNS, SNMP, and NetBIOS.

Use IP Scan when you need to inventory devices on a network segment, find devices with unknown IP addresses, identify rogue devices, or troubleshoot connectivity by confirming which hosts are online.

How IP Scan Works

IP Scan operates in two modes:

1. Active Scanning (Address Range): Sends probe packets to each IP in the specified range and listens for responses. This method actively queries the network.

2. Passive Listening (Interface): Monitors packets passing through an interface and compiles information about observed devices. This method does not generate additional traffic.

Note: Using both methods simultaneously may produce inconclusive results. Choose one method based on your needs.

Basic Usage

Scan a Network Range

/tool ip-scan address-range=192.168.88.1-192.168.88.254

Example Output:

ADDRESS          MAC-ADDRESS       TIME    DNS-NAME        SNMP
192.168.88.1     E4:8D:8C:12:34:56 1ms     router.lan      MikroTik
192.168.88.10    DC:A6:32:AB:CD:EF 2ms     nas.lan
192.168.88.25    00:11:22:33:44:55 1ms                     HP LaserJet
192.168.88.100   B8:27:EB:11:22:33 3ms     pi.lan
192.168.88.150   F0:18:98:AA:BB:CC 2ms     laptop.lan

Output columns:

• ADDRESS - Discovered IP address
• MAC-ADDRESS - Device MAC address (if on same broadcast domain)
• TIME - Response time in milliseconds
• DNS-NAME - Hostname from reverse DNS lookup
• SNMP - SNMP system name (if device responds to SNMP)

Scan Using Interface

Listen for devices on a specific interface:

/tool ip-scan interface=ether2

This passively monitors traffic on the interface and reports devices it observes.

Scan a Subnet with CIDR Notation

/tool ip-scan address-range=10.0.0.0/24

This scans all 254 usable addresses in the subnet.

Scan with Duration Limit

Run the scan for a specific duration:

/tool ip-scan address-range=192.168.1.0/24 duration=30s

Common Parameters

Parameter	Default	Description
address-range	-	IP range to scan (required if interface not set)
interface	-	Interface to listen on for passive discovery
duration	unlimited	How long to run the scan

---

Practical Examples

Example 1: Quick Network Inventory

Scan your LAN to see all active devices:

/tool ip-scan address-range=192.168.88.0/24

Press q or Ctrl+C to stop the scan when complete.

Example 2: Find Devices in a Specific Range

Scan a limited range to find a specific device:

/tool ip-scan address-range=10.0.0.100-10.0.0.150

Example 3: Monitor Guest Network

Passively observe devices on a guest VLAN interface:

/tool ip-scan interface=vlan-guest

Example 4: Discover Devices on Remote Subnet

Scan a subnet accessible through routing (MAC addresses won’t be visible):

/tool ip-scan address-range=172.16.0.0/24

Note: MAC addresses are only visible for devices on the same Layer 2 segment. Routed devices will show only IP address, response time, and identification data.

Understanding the Results

MAC Address Present

192.168.88.50    AA:BB:CC:DD:EE:FF 1ms     printer.lan

Device is on the same broadcast domain as the scanning interface. Full Layer 2 visibility.

MAC Address Missing

10.20.30.40                        5ms     server.remote

Device is on a different subnet (routed path). Only Layer 3 information available.

No Response Time

192.168.88.99    11:22:33:44:55:66         workstation

Device discovered through passive listening or ARP, but did not respond to active probes. May have ICMP blocked.

SNMP Name Shown

192.168.88.1     E4:8D:8C:12:34:56 1ms                     MikroTik

Device responded to SNMP queries. This is the SNMP system name, often the device hostname or model.

Scripting with IP Scan

Export Scan Results

IP Scan runs interactively and doesn’t directly support file export. To capture results, use the following approach:

:local output ""
:foreach i in=[/tool ip-scan address-range=192.168.88.0/24 duration=10s as-value] do={
    :set output ($output . ($i->"address") . "\n")
}
:log info $output

Note: Scripting support for IP Scan is limited. For automated inventory tasks, consider using ARP table exports or DHCP leases instead.

Alternative: ARP Table Export

For a quick inventory of devices the router has communicated with:

/ip arp print

Alternative: DHCP Leases

For devices that obtained addresses via DHCP:

/ip dhcp-server lease print

Verification Examples

Check 1: Confirm Devices Are Online

/tool ip-scan address-range=192.168.88.1-192.168.88.10

Expected: Devices that are online appear with response times.

Check 2: Verify Device MAC Address

/tool ip-scan address-range=192.168.88.50-192.168.88.50

Expected: Single device result with MAC address (if on same L2 segment).

Check 3: Find SNMP-Enabled Devices

/tool ip-scan address-range=10.0.0.0/24

Expected: Devices with SNMP enabled show their system name in the SNMP column.

---

Troubleshooting

Problem: “No devices found”

Causes:

• Wrong address range specified
• Devices blocking ICMP/ping
• Network not reachable from router
• Firewall blocking probe traffic

Solution:

1. Verify the address range matches your network
2. Check that you can ping at least one known device
3. Verify routing to the target network exists
4. Try using interface mode for passive discovery

Problem: “MAC addresses not showing”

Cause: Target devices are on a different subnet (routed, not bridged).

Solution: This is expected behavior. MAC addresses are only visible for devices on the same Layer 2 segment. The router only sees its next-hop MAC for routed traffic.

Problem: “SNMP names not appearing”

Causes:

• Device doesn’t have SNMP enabled
• SNMP community string mismatch
• Device firewall blocking SNMP (UDP 161)

Solution: SNMP name detection requires the device to respond to SNMP queries. Not all devices support or enable SNMP by default.

Problem: “Scan takes too long”

Cause: Large address range with many non-responsive addresses.

Solution:

1. Narrow the address range
2. Use the duration parameter to limit scan time
3. Scan smaller subnets sequentially

Problem: “Inconsistent results”

Cause: Using both address-range and interface simultaneously.

Solution: Use one method at a time. For active discovery, use address-range. For passive monitoring, use interface.

Common Pitfalls

1. Expecting MAC Addresses from Routed Networks

Wrong expectation: “I scanned 172.16.0.0/24 but no MAC addresses appear”

Right understanding: MAC addresses are Layer 2. The router only sees the MAC of its gateway for routed destinations, not the end devices.

2. Scanning Too Large a Range

Wrong:

/tool ip-scan address-range=10.0.0.0/8  # 16 million addresses!

Right:

/tool ip-scan address-range=10.0.0.0/24  # 254 addresses

Scan subnets individually rather than large blocks.

3. Relying on SNMP Names for All Devices

Wrong expectation: “IP Scan will identify all my devices by name”

Right understanding: SNMP names only appear for devices that have SNMP enabled and respond to queries. Many consumer devices don’t support SNMP.

4. Using IP Scan for Security Auditing

Wrong: Using IP Scan as the sole method to find rogue devices.

Right: IP Scan is a helpful tool but not comprehensive. Combine with:

• DHCP lease monitoring
• ARP table inspection
• Bridge host table (/interface bridge host print)
• 802.1X port security

5. Confusing Active and Passive Modes

Wrong:

/tool ip-scan address-range=192.168.88.0/24 interface=bridge1

Right: Choose one mode:

# Active scanning
/tool ip-scan address-range=192.168.88.0/24

# OR passive listening
/tool ip-scan interface=bridge1

When to Use Other Tools

Need	Recommended Tool
Quick connectivity test	/ping
See known devices (L2)	/interface bridge host print
Check ARP entries	/ip arp print
View DHCP clients	/ip dhcp-server lease print
Port scanning	Use external tools (nmap)
Continuous monitoring	/tool netwatch
Bandwidth testing	/tool bandwidth-test

Related Tools

• Ping (/ping) - Test connectivity to specific hosts
• Neighbor Discovery (/ip neighbor print) - Discover MikroTik and LLDP/CDP devices
• ARP (/ip arp print) - View known IP-to-MAC mappings
• DHCP Leases (/ip dhcp-server lease print) - View DHCP client assignments
• Bridge Hosts (/interface bridge host print) - View MAC address table
• Torch (/tool torch) - Real-time traffic analysis

References

• MikroTik IP Scan Documentation

Related Topics

Network Discovery

• IP Neighbors - discover MikroTik and LLDP/CDP devices
• Ping Tool - test connectivity to specific hosts

Device Information

• DHCP Server - view DHCP client assignments
• Bridge Hosts - view MAC address table

Traffic Analysis

• Torch - real-time traffic analysis
• Netwatch - continuous host monitoring