How to check if an IP address is in use

Hi - in the attached screenshot, does the 2nd ping mean that the ip address is available but just not in use?

Not sure why I get the 'unreachable' error but no packet loss?

I am looking for a way to determine if an ip address is available to use or not - is there a better way to do this?


Brent EmbreyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

CorinTackNetwork EngineerCommented:
If you have access to the device giving out DHCP addresses, you can look there. Almost all such devices have some way to check what addresses are in use, and reserve certain addresses or ranges, and clear reservations, etc.

Pinging an address will tell you whether there is currently an online device using that address. Unfortunately, what it won't tell you is if there is a device that has that address reserved in DHCP (either manually or via the DHCP age settings) that is just offline. Your best bet, therefore, is to check your DHCP server.
Will SzymkowskiSenior Solution ArchitectCommented:
When you get Reply From <IP Address> Destination Host Unreachable means that the Remote Router does not have the correct routing information to complete the request. This is why you see a reply back from192.168.0.28.

Ping is a sufficient way to do a quick check but it should say Request Timeout to be 100% certain that you are not using a duplicate IP.

It would also be valuable to use IPAM in your environment as well to track IP Addresses that are already used.

While a proper reply indicates that there is a device there now, a "Destination Host Unreachable" or "Request Timeout" (or other failures) do NOT ensure that there is not (or will not be) a device there.  The device could be configured to not reply to Ping requests or the device could just be offline at the moment.

Looking at the DHCP tables is a good estimate of what is or has been out there, but doesn't really tell you about devices with static IP addresses.  If you have a Domain environment (and it is properly configured), DNS should give you a good clue.

While the Ping approach has limitations, it can be useful.  If you want to scan a lot of addresses quickly and easily, look for Angry IP Scanner (free) or other similar IP scanners.

I don't think that there is an absolute way to accomplish what you wish.  If you scan all addresses in your subnet then you may see a pattern and can infer how it was configured.  At least check the range for DHCP and assume that all of those addresses are in use as they could be handed out in the future.
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Ping is a quick test, but not that reliable for many reasons. You only can safely assume that an IP address is in use if you get the definitive reply from that IP.
Anything different from that doesn't tell you much.

Having a service devices are connecting and registering to on a regular base is much more reliable. DHCP and DNS are such services, and my first places I look at.
andreasSystem AdminCommented:
Destination host unreachable just means there cant be an ARP resolution for the IP in the same subnet. If the IP is behind the router you should get timeouts.

So if the Destination host unreachable comes back it means, a host with that IP is not available in the same subnet.
If it times out and the host is in the same subnet it can have 2 reaons:
1. Host just turned off and MAC address is still in the systems ARP-Cache
2. The Host Firewall does reject ICMP ping requests, even its on and runnning.

On windows you can chack your arp table in an elevated command promt via

arp -a

If IP is not local to your subnet you will get back Ping timeouts usually.
This is one of the main reasons I always recommend using your DHCP server to assign all IP addresses, and use it to assign static IP's to devices that need to be reached by other devices, like servers etc. That way you can always lookup what IP's have been reserved, and which ones are still free. If you assign static IP's manually you have to carefully document everything, and that can be a problem particularly if there are several administrators who can assign IP's.
andreasSystem AdminCommented:
Correct, using DHCP for assigning IPs will release a lot of hassle. But if you have a mixed environment with static IPs and DHCP. Or a wild grown net without proper documentation you could use ARP sweep tools to sweep the net few times per hour and record the arp responses to the IPs if you get a response on the same subnet, the IP is assigned and in use.
This will always succeed no matter how firewall rules on the destination host are set, as ARP resolution cannot be blocked without totally block IP communication.
So on local subnet you can always detect this way if a host is there or not, even pings and other ICMP types are blocked.

If you update a list with the times each IP/Arp combo is seen you have a record of currently used and longtime not used ips for your local subnet.

But be aware this will not work over the gateway/router. It must be done in the same broadbast domain.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
The problem is that the device must be running while sweeping.
Brent EmbreyAuthor Commented:
Thanks all!
andreasSystem AdminCommented:
@rindi thus asking him to sweep a few times per hour, lets say every 15 or 20 mins, and only consider IPs not in use if for a greater number of days no reply was recorded.

If a device always escapes the sweep its very very bad luck and the chance it will happen very small.
I know you have closed this and accepted solutions, if i could recommend using nmap. Do a simple scan and use a -Pn in you command, if there is a device with that address it will tell you DNS/software/OS/manufacturer another thing if you have access to your DNS you can check the ARPA tables.
Apologies if these where recommended but i didn't see them
So many wrong answers! And accepted :(

Request timed out it means that the source of ICMP packet (source of ping) did not receive any answer at the request, in a time manner (set by TTL)

Destination Host Unreachable it means that the source received an answer from a router in the path, with the code 3

For whom is interested about the ICMP code types:

For other issues regarding TCP/IP and OSI models, don't hesitate to contact me!

Best regards!
Hi matrix8086
I think you will find them to be correct, just not the way you would put it.
The reply he is getting is from the local machine at a guess not a router as you say and in fact probably doesn't even see a router being on the same range.
Destination unreachable in its self has varied meaning and for all accounts one of the more "none-helpful" responses
As your document says
"3     Destination Unreachable                  [RFC792]

          0  Net Unreachable
          1  Host Unreachable
            2  Protocol Unreachable
            3  Port Unreachable
            4  Fragmentation Needed and Don't Fragment was Set
            5  Source Route Failed
            6  Destination Network Unknown
            7  Destination Host Unknown
            8  Source Host Isolated
            9  Communication with Destination Network is
               Administratively Prohibited
           10  Communication with Destination Host is
               Administratively Prohibited
           11  Destination Network Unreachable for Type of Service
           12  Destination Host Unreachable for Type of Service
           13  Communication Administratively Prohibited      [RFC1812]
           14  Host Precedence Violation                      [RFC1812]
           15  Precedence cutoff in effect                 "

If I was to hazard a guess the client has its firewall turned on and is accepting the ping and just not replying thereby no loss in packets and no reply received.
Stolsie: You're wrong: device not replaying it means "request timed out"

Those codes/subcodes are not "none-helpful". How do you think that expensive software/equipments could make diagnosis? (or probably you did not see such a thing) . I'm telling you: using this codes ;)

I'm going to jump in here as you are on a topic ("unreachable.." vs. "timeout") that I've not understood and wish to.

If I am reading your comment correctly, when the OP pinged, the "unreachable" reply indicates that something at (mentioned in the output) replied that the address could not be reached.  Your comment was that this reply would come from the router.  Though certainly not impossible, I find it unlikely that the router was at .28.

On my system (Win 8.1) if I ping a local address that does not exist, I get "Destination host unreachable" from my IP address, not from the router.  If I ping a non-local address, I get "request timed out".  This seems backwards to what you suggest.

I'm wondering if your comments are how this should be implemented, but the Windows ping command doesn't follow the rules.
^exactly my point. :)
My all Dears,

All I've said about TCP/IP model, ICMP and ping is 100% in that way I've said. Search in google about articles from Microsoft and CISCO (not forums) if you don't belive me. can be his PC, a router, we don't know. But we must not care about it. And your win 8.1 will help us to not care: how many interfaces do you have on your Windows 8.1? (just type ipconfig and you will see) And how many addresses? How do you know from which interface ping originates? Are you sure that your windows 8.1 does not made a routing when you tried ping? Maybe the originating interface was the local loopback with IP I don't know how Windows 8.1 has implemented ping (and personaly I don't care how Microsoft interprets ICMP codes or the no ICMP response).

What I know is what is written in RFC's. That's the Bible of TCP/IP. And that should be the correct understanding of TCP/IP, If you would try to go deeper in TCP/IP and understanding IP header and TCP header, you will understand such things.

But, to conclude: as in RCF's we can find, request timed out is the only time when a response is not received at an ICMP request.

Best regards all of you!
To be clearer... I wasn't trying to be argumentative or to claim that you were incorrect.  I am seriously trying to learn here when I can.

Though I've not looked up the RCFs, I trust your citing of them as being accurate.  My concern is that I deal with how they work in the real Windows world as that is what I have to fix.

Here is my real world:
(Win 8.1)

Windows IP Configuration

Ethernet adapter vEthernet (External Virtual Switch):

   Connection-specific DNS Suffix  . : CPS2008.local
   Link-local IPv6 Address . . . . . : fe80::213a:c571:6f8e:d434%7
   IPv4 Address. . . . . . . . . . . :
   Subnet Mask . . . . . . . . . . . :
   Default Gateway . . . . . . . . . :

Tunnel adapter isatap.CPS2008.local:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :


Pinging with 32 bytes of data:
Reply from Destination host unreachable.
Reply from Destination host unreachable.
Reply from Destination host unreachable.
Reply from Destination host unreachable.

Ping statistics for
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),


Pinging with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),


I am able to successfully ping, so I'm configured correctly to get to the outside world.

I thought that the fact that it is an "Ethernet Virtual Switch" might be confusing matters so I did a similar test on a new Windows 7 x64 computer that I am finishing.  I got similar results.  That is, only one connected interface, pings on the local subnet to non-existing devices give "unreachable", and pings to non-existing devices on the internet give "timed out" responses'

I may try some packet sniffing to see what is actually going one.  Until then, it appears that the Win 7 and Win 8 implementations of Ping don't follow the RFC properly.
Hmmm ... you are right! I switched on MacOS since 2008, where is not such thing. And in the rarest moments when I have used a Windows, I did not realize that!

But now I've checked and I did some tests myself and it seems that starting with win7 and windows 2008 server, when a ping is sent, Windows looks first in arp table for local subnets.

If an entry is found, but no ICMP response, it generates request timed out - checked with ICMP response suppressed.

If an arp entry is not found and no ICMP response - destination host unreachable.

Another "strange" thing that I have observed: for new IPs, first response was destination host unreachable, followed by 3 good answers. This behavior made me think that windows looks first in arp table for local subnets. I did not found such an answer on official pages of Microsoft, but are other people who made the same suppositions on some forums.

And more of that, Microsoft respects RFCs: request timed out is not a reliable answer, as long you have no response; the host can be up with ICMP responses suppressed, for example.

But destination host unreachable it gives you for sure an answer that the host is not reachable! As RFCs say, destination host unreachable has the guarantee that you cannot reach that host

Best regards!
andreasSystem AdminCommented:
Thanks for your article. All in all good but i found 2 bigger mistakes:

1. All systems can see the arp table (not just routers), as all systems with an IP stack will also have an arp table. Each system when communication on the local subnet will only talk to MAC adresses not IP adresses.
So the MAC Adress which belongs to a specific IP needs to be known and this is stored in the systems ARP table.
If you access a local system first time then your system will send out an arp request to the broadcast address of the network which will be answered only by the system that has this IP assigned, this answer will send back to the originating MAC address and contains the MAC of the host that have the IP in question.
If no ARP request it received by the system conducting the ARP query the arp table does not have a valid entry for that IP.

2. A router will not instantely give host not reachable if it doesnt have an entry in its ARP table. The router will do the same procedure with sending out ARP requests to the subnets broadcast address and will wait for ARP replies, if the host does reply it will update its ARP table.
If no host replies, it will send back the host not reachable.

BTW i have NEVER ever received a host not reachable from the internet.
(except for martian IPs, and private non routed subnets, then directly from 1st hop)
Im guessing my home provider and somewhere in the upstream of my workplace this ICMP type will be filtered.
Maybe to prevent active scanning for active hosts even if they block all communications by themselves to be invisible.
1. I agree with you. I was talking about implementing ping since win7, win 2008 server, Linux distribution since 2008-2009. I was talking strictly about TCP/IP and RFCs in the answer of this threat and I discovered that I have some missing points since the Operting Systems changed the way that ping can function, just to be more accurated with RFCs. WinXP and Mavericks are not checking the ARP table on a ping command. They response will be always "request timed out". That was all about!

2. Of course you did not see any "destination host not reachable" from Internet, because of security issuses that sysadmins take care of and the fact that they are suppressing ICMP responses.

I was talking about having your own private WAN where you are not sharing Internet connections with anyone and where you can make your own rules . It is expensive and it is rare, but such things can exists.

Regarding the local subnets, the new way that ping is working on the  latest Operating Systems can be truly helpful to find if an IP address is used or not.

Best regards!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.