Let's assume you must work in a network but they forgot to tell you the ip address range.

• Simply use tcpdump, wireshark or any sniffer that displays the IP addresses of existing packets.

• Eg:

# tcpdump -nnei eth1
13:46:05.577596 00:1a:73:3f:7a:9d > 00:03:6f:e1:5b:21, ethertype IPv4 (0x0800), length 74: 192.168.0.194.33387 > 80.58.32.97.53:  5597+ A? www.google.com. (32)
13:46:05.676650 00:03:6f:e1:5b:21 > 00:1a:73:3f:7a:9d, ethertype IPv4 (0x0800), length 142: 80.58.32.97.53 > 192.168.0.1 94.33387:  5597 4/0/0 ...

In this example, 192.168.0.194 is a host in the network, and 00:03:6f:e1:5b:21 is the mac address of the gateway. We don't know the ip address of the gateway yet, that would probably require waiting for an arp packet, or try guess it, or active scan.

• If DHCP is enabled on the network, use a dhcp client or a fast discovery tool like DHD.

• Use a fast ARP scanner like netdiscover, or a multipurpose one like nmap, ettercap, etc.

• Eg:

  # netdiscover -i eth1
  Currently scanning: 192.168.1.0/16   |   Our Mac is: 00:0b:16:a1:b2:c3

  2 Captured ARP Req/Rep packets, from 2 hosts.   Total size: 102
  _____________________________________________________________________________
   IP            At MAC Address      Count  Len   MAC Vendor
  -----------------------------------------------------------------------------
  192.168.0.1     00:03:6f:e1:5b:21    01    042   Telsey SPA
  192.168.0.194   00:1a:73:3f:7a:9d    01    060   Unknown vendor