Have you ever forgotten an IP address for an iLO on your network? Do you ever wonder “What’s my iLO IP Address?” Maybe you’re using DHCP, and you’ve added a new server to your network, but you don’t know the IP address of its iLO (and you’re not using dynamic dns – so the iLO ‘toe-tag’ name can’t be used as an alias).

Here is a handy script I wrote to search a local network (using nmap) to find all the iLO’s (HP Integrated Lights-Out adapters). It gives you a list of all the iLO’s found, including their firmware version and server hardware type. It’s a good tool to use when a new iLO firmware version comes out and you need to know which servers need to be updated.This script is written for Linux, but it could be easily modified for other operating systems, as long as the requisite tools are available.

The script works to find all versions of iLO (version 1 and 2), but obviously the iLO’s must be connected to the Ethernet network. Also, this script relies on having Virtual Media enabled at the default tcp port number of 17988 — if this has been changed by the server administrator, then you can modify the script to find iLO’s using the other port number.


As I mentioned before, you first need Linux to use this script. Then you’ll need tr, sed, expr, curl and nmap. The odd balls are curl and nmap – these may not be installed on your system by default.

findilos Script Source Code (download here: findilos.tar)

# findilos - Search a local network segment for iLOs
#            The iLO is the Integrated Lights-Out management processor
#            used on HP ProLiant and BladeSystem servers
# Author: iggy@nachotech.com
# Website: http://blog.nachotech.com
# Requires: tr sed expr curl nmap
# Tested with: Nmap 4.20, curl 7.17.1, RHEL4
# Note: Discovery of an iLO is dependent upon the Virtual Media port
#       being set to the default of 17988.  If this has been changed
#       by the iLO administrator, then this script will NOT find it.
#       Also, if the iLO XML Reply Data Return has been Disabled by
#       the iLO administrator, this script will not be able to
#       gather any information about the server.  It will still be
#       discovered, but all you will see is its IP address.
declare -i ilosfound=0
function parseiloxml {
  fgrep "$1" $iloxml > /dev/null 2>&1
  if [ $? -ne 0 ]
    # tag not found in xml output, return empty string
    # tag was found - now we parse it from the output
    tempstring=$( cat $iloxml | tr -d -c [:print:] | sed "s/^.*<$1>//" | sed "s/<.$1.*//")
    # trim off leading and trailing whitespace
    parsedstring=`expr match "$tempstring" '[ \t]*\(.*[^ \t]\)[ \t]*$'`
function is_installed {
  which $1 > /dev/null 2>&1
  if [ $? -ne 0 ]
    printf "\nERROR: %s not installed.\n\n" $1
    exit 255
# check for tools that we depend upon
is_installed tr
is_installed sed
is_installed expr
is_installed curl
is_installed nmap
# check syntax - should have 1 and only 1 parameter on cmdline
if [ $# -ne 1 ]; then
  printf "%s %s ( http://blog.nachotech.com/ )\n" $scriptname $scriptversion
  printf "Usage: %s {target network specification}\n" $scriptname
  printf "  Can pass hostnames, IP addresses, networks, etc.\n"
  printf "  Ex: server1.company.com, company.com/24,, 10.0.0-255.1-254\n"
  printf "EXAMPLE:\n"
  printf "  %s\n" $scriptname
  exit 255
# prepare lookup file for iLO hardware versions
cat > $ilohwvers << EOF
iLO-1 shows hw version ASIC:  2
iLO-2 shows hw version ASIC:  7
i-iLO shows hw version T0
# scan a range of IP addresses looking for an
# open tcp port 17988 (the iLO virtual media port)
printf "Scanning..."
nmap -n -P0 -sS -p 17988 -oG - $iprange | fgrep /open/ | awk '{print $2}' > $iloips
printf "\n\n"
# open and read the list of IP addresses one at a time
exec 3< $iloips
echo "--------------- ------ -------- ------------ -------------------------"
echo "iLO IP Address  iLO HW iLO FW   Server S/N   Server Model"
echo "--------------- ------ -------- ------------ -------------------------"
while read iloip <&3 ; do
  # attempt to read the xmldata from iLO, no password required
  curl --proxy "" --fail --silent --max-time 3 http://$iloip/xmldata?item=All > $iloxml
  # parse out the Server model (server product name)
  # from the XML output
  parseiloxml SPN;  servermodel=$parsedstring
  parseiloxml SBSN; sernum=$parsedstring
  parseiloxml PN;   ilotype=$parsedstring
  parseiloxml FWRI; ilofirmware=$parsedstring
  parseiloxml HWRI; ilohardware=$parsedstring
  ilohwver=$(grep "$ilohardware" $ilohwvers|awk '{print $1}')
  if [ "$ilohwver" == "" ]; then
  if [ "$sernum" == "" ]; then
  printf "%-15s %-6s %-8s %-12s %s\n" $iloip "$ilohwver" "$ilofirmware" "$sernum" "$servermodel"
printf "\n%d iLOs found on network target %s.\n\n" $ilosfound $iprange
rm -f $iloips $iloxml $ilohwvers
exit 0

Running the findilos script

Here’s the easy part – running the script. The only command line parameter used is a specification of the network that you want to search. Use the same network specification format used by nmap — the script is just passing it through to nmap:

Example: running findilos on a local network

# findilos
--------------- ------ -------- ------------ -------------------------
iLO IP Address  iLO HW iLO FW   Server S/N   Server Model
--------------- ------ -------- ------------ -------------------------      iLO-2  1.29     UTR21402MP   ProLiant BL460c G1      iLO-2  1.70     2UY24106BX   ProLiant BL460c G1      iLO-2  1.70     2UY24106BT   ProLiant BL460c G1      iLO-2  1.70     2UY25201R5   ProLiant BL460c G1     iLO-2  1.60     2UY24106BJ   ProLiant BL460c G1     iLO-2  1.70     2UY25201RE   ProLiant BL460c G1     iLO-2  1.70     T01BPT917B   ProLiant BL460c G1
7 iLOs found on network target

I am looking for feedback on the script. Please let me know if it works for you or if you have any suggestions on how to make it better.