Skip to content
MikroTik RouterOS Docs

IP Scan

IP Scan

Section titled “IP Scan”

TL;DR (Quick Start)

Section titled “TL;DR (Quick Start)”

Scan your local network:

/tool ip-scan address-range=192.168.88.0/24

Listen for devices on an interface:

/tool ip-scan interface=bridge1

Scan with time limit:

/tool ip-scan address-range=192.168.88.0/24 duration=30s

Press q or Ctrl+C to stop the scan.

Overview

Section titled “Overview”

The IP Scan tool discovers devices on your network by actively probing an IP address range or passively listening to traffic on an interface. It collects device information including IP addresses, MAC addresses, response times, and identification data from DNS, SNMP, and NetBIOS.

Use IP Scan when you need to inventory devices on a network segment, find devices with unknown IP addresses, identify rogue devices, or troubleshoot connectivity by confirming which hosts are online.

How IP Scan Works

Section titled “How IP Scan Works”

IP Scan operates in two modes:

  1. Active Scanning (Address Range): Sends probe packets to each IP in the specified range and listens for responses. This method actively queries the network.

  2. Passive Listening (Interface): Monitors packets passing through an interface and compiles information about observed devices. This method does not generate additional traffic.

Note: Using both methods simultaneously may produce inconclusive results. Choose one method based on your needs.

Basic Usage

Section titled “Basic Usage”

Scan a Network Range

Section titled “Scan a Network Range”
/tool ip-scan address-range=192.168.88.1-192.168.88.254

Example Output:

ADDRESS          MAC-ADDRESS       TIME    DNS-NAME        SNMP
192.168.88.1     E4:8D:8C:12:34:56 1ms     router.lan      MikroTik
192.168.88.10    DC:A6:32:AB:CD:EF 2ms     nas.lan
192.168.88.25    00:11:22:33:44:55 1ms                     HP LaserJet
192.168.88.100   B8:27:EB:11:22:33 3ms     pi.lan
192.168.88.150   F0:18:98:AA:BB:CC 2ms     laptop.lan

Output columns:

  • ADDRESS - Discovered IP address
  • MAC-ADDRESS - Device MAC address (if on same broadcast domain)
  • TIME - Response time in milliseconds
  • DNS-NAME - Hostname from reverse DNS lookup
  • SNMP - SNMP system name (if device responds to SNMP)

Scan Using Interface

Section titled “Scan Using Interface”

Listen for devices on a specific interface:

/tool ip-scan interface=ether2

This passively monitors traffic on the interface and reports devices it observes.

Scan a Subnet with CIDR Notation

Section titled “Scan a Subnet with CIDR Notation”
/tool ip-scan address-range=10.0.0.0/24

This scans all 254 usable addresses in the subnet.

Scan with Duration Limit

Section titled “Scan with Duration Limit”

Run the scan for a specific duration:

/tool ip-scan address-range=192.168.1.0/24 duration=30s

Common Parameters

Section titled “Common Parameters”
ParameterDefaultDescription
address-range-IP range to scan (required if interface not set)
interface-Interface to listen on for passive discovery
durationunlimitedHow long to run the scan

Practical Examples

Section titled “Practical Examples”

Example 1: Quick Network Inventory

Section titled “Example 1: Quick Network Inventory”

Scan your LAN to see all active devices:

/tool ip-scan address-range=192.168.88.0/24

Press q or Ctrl+C to stop the scan when complete.

Example 2: Find Devices in a Specific Range

Section titled “Example 2: Find Devices in a Specific Range”

Scan a limited range to find a specific device:

/tool ip-scan address-range=10.0.0.100-10.0.0.150

Example 3: Monitor Guest Network

Section titled “Example 3: Monitor Guest Network”

Passively observe devices on a guest VLAN interface:

/tool ip-scan interface=vlan-guest

Example 4: Discover Devices on Remote Subnet

Section titled “Example 4: Discover Devices on Remote Subnet”

Scan a subnet accessible through routing (MAC addresses won’t be visible):

/tool ip-scan address-range=172.16.0.0/24

Note: MAC addresses are only visible for devices on the same Layer 2 segment. Routed devices will show only IP address, response time, and identification data.

Understanding the Results

Section titled “Understanding the Results”

MAC Address Present

Section titled “MAC Address Present”
192.168.88.50    AA:BB:CC:DD:EE:FF 1ms     printer.lan

Device is on the same broadcast domain as the scanning interface. Full Layer 2 visibility.

MAC Address Missing

Section titled “MAC Address Missing”
10.20.30.40                        5ms     server.remote

Device is on a different subnet (routed path). Only Layer 3 information available.

No Response Time

Section titled “No Response Time”
192.168.88.99    11:22:33:44:55:66         workstation

Device discovered through passive listening or ARP, but did not respond to active probes. May have ICMP blocked.

SNMP Name Shown

Section titled “SNMP Name Shown”
192.168.88.1     E4:8D:8C:12:34:56 1ms                     MikroTik

Device responded to SNMP queries. This is the SNMP system name, often the device hostname or model.

Scripting with IP Scan

Section titled “Scripting with IP Scan”

Export Scan Results

Section titled “Export Scan Results”

IP Scan runs interactively and doesn’t directly support file export. To capture results, use the following approach:

:local output ""
:foreach i in=[/tool ip-scan address-range=192.168.88.0/24 duration=10s as-value] do={
    :set output ($output . ($i->"address") . "\n")
}
:log info $output

Note: Scripting support for IP Scan is limited. For automated inventory tasks, consider using ARP table exports or DHCP leases instead.

Alternative: ARP Table Export

Section titled “Alternative: ARP Table Export”

For a quick inventory of devices the router has communicated with:

/ip arp print

Alternative: DHCP Leases

Section titled “Alternative: DHCP Leases”

For devices that obtained addresses via DHCP:

/ip dhcp-server lease print

Verification Examples

Section titled “Verification Examples”

Check 1: Confirm Devices Are Online

Section titled “Check 1: Confirm Devices Are Online”
/tool ip-scan address-range=192.168.88.1-192.168.88.10

Expected: Devices that are online appear with response times.

Check 2: Verify Device MAC Address

Section titled “Check 2: Verify Device MAC Address”
/tool ip-scan address-range=192.168.88.50-192.168.88.50

Expected: Single device result with MAC address (if on same L2 segment).

Check 3: Find SNMP-Enabled Devices

Section titled “Check 3: Find SNMP-Enabled Devices”
/tool ip-scan address-range=10.0.0.0/24

Expected: Devices with SNMP enabled show their system name in the SNMP column.

Troubleshooting

Section titled “Troubleshooting”

Problem: “No devices found”

Section titled “Problem: “No devices found””

Causes:

  • Wrong address range specified
  • Devices blocking ICMP/ping
  • Network not reachable from router
  • Firewall blocking probe traffic

Solution:

  1. Verify the address range matches your network
  2. Check that you can ping at least one known device
  3. Verify routing to the target network exists
  4. Try using interface mode for passive discovery

Problem: “MAC addresses not showing”

Section titled “Problem: “MAC addresses not showing””

Cause: Target devices are on a different subnet (routed, not bridged).

Solution: This is expected behavior. MAC addresses are only visible for devices on the same Layer 2 segment. The router only sees its next-hop MAC for routed traffic.

Problem: “SNMP names not appearing”

Section titled “Problem: “SNMP names not appearing””

Causes:

  • Device doesn’t have SNMP enabled
  • SNMP community string mismatch
  • Device firewall blocking SNMP (UDP 161)

Solution: SNMP name detection requires the device to respond to SNMP queries. Not all devices support or enable SNMP by default.

Problem: “Scan takes too long”

Section titled “Problem: “Scan takes too long””

Cause: Large address range with many non-responsive addresses.

Solution:

  1. Narrow the address range
  2. Use the duration parameter to limit scan time
  3. Scan smaller subnets sequentially

Problem: “Inconsistent results”

Section titled “Problem: “Inconsistent results””

Cause: Using both address-range and interface simultaneously.

Solution: Use one method at a time. For active discovery, use address-range. For passive monitoring, use interface.

Common Pitfalls

Section titled “Common Pitfalls”

1. Expecting MAC Addresses from Routed Networks

Section titled “1. Expecting MAC Addresses from Routed Networks”

Wrong expectation: “I scanned 172.16.0.0/24 but no MAC addresses appear”

Right understanding: MAC addresses are Layer 2. The router only sees the MAC of its gateway for routed destinations, not the end devices.

2. Scanning Too Large a Range

Section titled “2. Scanning Too Large a Range”

Wrong:

/tool ip-scan address-range=10.0.0.0/8  # 16 million addresses!

Right:

/tool ip-scan address-range=10.0.0.0/24  # 254 addresses

Scan subnets individually rather than large blocks.

3. Relying on SNMP Names for All Devices

Section titled “3. Relying on SNMP Names for All Devices”

Wrong expectation: “IP Scan will identify all my devices by name”

Right understanding: SNMP names only appear for devices that have SNMP enabled and respond to queries. Many consumer devices don’t support SNMP.

4. Using IP Scan for Security Auditing

Section titled “4. Using IP Scan for Security Auditing”

Wrong: Using IP Scan as the sole method to find rogue devices.

Right: IP Scan is a helpful tool but not comprehensive. Combine with:

  • DHCP lease monitoring
  • ARP table inspection
  • Bridge host table (/interface bridge host print)
  • 802.1X port security

5. Confusing Active and Passive Modes

Section titled “5. Confusing Active and Passive Modes”

Wrong:

/tool ip-scan address-range=192.168.88.0/24 interface=bridge1

Right: Choose one mode:

# Active scanning
/tool ip-scan address-range=192.168.88.0/24


# OR passive listening
/tool ip-scan interface=bridge1

When to Use Other Tools

Section titled “When to Use Other Tools”
NeedRecommended Tool
Quick connectivity test/ping
See known devices (L2)/interface bridge host print
Check ARP entries/ip arp print
View DHCP clients/ip dhcp-server lease print
Port scanningUse external tools (nmap)
Continuous monitoring/tool netwatch
Bandwidth testing/tool bandwidth-test
Section titled “Related Tools”
  • Ping (/ping) - Test connectivity to specific hosts
  • Neighbor Discovery (/ip neighbor print) - Discover MikroTik and LLDP/CDP devices
  • ARP (/ip arp print) - View known IP-to-MAC mappings
  • DHCP Leases (/ip dhcp-server lease print) - View DHCP client assignments
  • Bridge Hosts (/interface bridge host print) - View MAC address table
  • Torch (/tool torch) - Real-time traffic analysis

References

Section titled “References”
Section titled “Related Topics”

Network Discovery

Section titled “Network Discovery”

Device Information

Section titled “Device Information”

Traffic Analysis

Section titled “Traffic Analysis”
  • Torch - real-time traffic analysis
  • Netwatch - continuous host monitoring