Is it possible to find out what gateway is available on a network without prior knowledge?

A colleague and I both presumed this was a clear "no" but, admittedly, our networking knowledge is limited.

Is it even possible that, without prior knowledge of the network configuration (i.e., no DHCP or static IP configuration handy), you could figure out the network's gateway? If it is indeed possible, how?


Firstly, I would hazard a guess that 90% of the time it's the first IP address in your subnet (so, 10.10.5.0/24, it would be 10.10.5.1) - although my network has one on .17 and one on .23 (and nothing at all on .1); so make of that what you will.

If it's a wifi network, you could listen in promiscious mode and look at what the most common destination for external traffic is, and if others are using the gateway, you can deduce it from there (by greatly reducing the number of IPs to check with).

If it's a fully switched network, things become a lot harder, but what I have done in the past is watch ARP requests and systematically go through the most heavily advertising ARP devices.

But this is all a long way of saying no, there is no way to tell with 100% certainty what IP address the network gateway resides on, or if the network even has a gateway.


Practical example: I once inherited a watchguard firewall, and I had its passphrases, but no idea what network it was listening on, which is much like your theoretical predicament. What I ended up doing was fireing up Wireshark and started capturing ARP traffic. After a while, the MAC address of the watchguard box started showing up in global broadcast traffic, doing gratuitious ARPs, looking for an IP address of some unknown, pre-configured device. From there it was pretty simple to set myself on the right subnet and find its IP address.


Al West brings up an interesting point - on IPv6 gateways are fairly easy to find if they use autoconfiguration - each router advertises itself (through an RA), you can just listen for them. If it's a DHCP network, or a network with no autoconfiguration OR DHCP the same rules apply as above


I think I have to disagree with @Mark Henderson here. Except in what I consider edge cases:

  • policy controlled subnets (VACLs, MAC filtered). This will prevent you from being able to contact the router even if you can figure out what it is.
  • 802.1x environments. This type of security was meant to prevent people from plugging into a physical port and gaining access. So the 802.1x environment may actually give you hints at what the router is so you can authenticate, you won't be able to use it for any sort of traffic.
  • non broadcast networks this is practically impossible.

Outside of that, it is possible. But it is not trivial and it may take a significant amount of time. I've built scripts that do this to test routing investigation in undocumented networks. You have to solve a few problems first:

  • what is the subnet of the network you are connected to
  • which devices are available on your network
  • if you set a route through one of these devices can you ping a remote device that you know is up and you can reach via a 'known good' internet path.

To solve the first part you can tcpdump the interface and it will show some traffic, hopefully some broadcast or arp traffic. It is usually best to try and DHCP, but if that doesn't work you can just listen for an hour and then pick an IP address that is in the range you see. Also, if you see arp requests frequently on this network, it is probably the router making them. That means you should test the source of these first as a gateway before testing other available hosts.

To solve the second part, after you get an IP address assigned run nmap or strobe and figure out what other devices are on the network.

To solve the last piece setup a static route using the route command to either the default (0.0.0.0) or some specific IP and see if you can ping your external test host. This can be a simple ICMP test, or I would suggest an HTTP request that has a CGI that returns what your source IP is so you can tell what you got NATed to.