ARP-Scan is a command-line tool for system discovery and fingerprinting. It constructs and sends ARP requests to the specified IP addresses, and displays any responses that are received.
arp- scan allows you to:
Send ARP packets to any number of destination hosts, using a configurable output bandwidth or packet rate.
This is useful for system discovery, where you may need to scan large address spaces.
Construct the outgoing ARP packet in a flexible way.
arp scan gives control of all of the fields in the ARP packet and the fields in the Ethernet frame header.
Decode and display any returned packets.
arp scan will decode and display any received ARP packets and lookup the vendor using the MAC address.
Fingerprint IP hosts using the arp-fingerprint tool.
Using arp-scan for system discovery
arp scan can be used to discover IP hosts on the local network. It can discover all hosts, including those that block all IP traffic such as firewalls and systems with ingress filters.
arp scan works on Ethernet and 802.11 wireless networks. It may also work with token ring and FDDI, but they have not been tested. It does not support serial links such as PPP or SLIP, because ARP is not supported on them.
You will need to be root, or arp-scan must be SUID root, in order to run arp-scan, because the functions that it uses to read and write Ethernet packets require root privilege.
Discovering all hosts on the local network
If the system you are testing from has an address on the network you wish to scan, the simplest way to scan it is with a command similar to:
arp- scan –interface=eth0 –localnet
Here, –interface=eth0 represents the interface to use for scanning, and –localnet makes arp-scan scan all possible IP addresses on the network connected to this interface, as defined by the interface IP address and netmask. You can omit the –interface option, in which case arp-scan will search the system interface list for the lowest numbered, configured up interface (excluding loopback).
The network interface name depends on the operating system you are using, the network type (Ethernet, Wireless Etc), and for some operating systems on the interface card type as well. In this document, the interface name eth0 is used for examples except where a different network type is being discussed.
All arp-scan options have both a long form like –interface=eth0 and a corresponding short form like -I eth0. I always use the long form in this document for clarity.
Here is an example showing arp-scan being run against the local network:
$ arp-scan --interface=eth0 --localnet Interface: eth0, datalink type: EN10MB (Ethernet) Starting arp-scan 1.5.2 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/) 192.168.1.1 00:c0:9f:09:b8:db QUANTA COMPUTER, INC. 192.168.1.4 00:02:b3:bb:5c:09 Intel Corporation 192.168.1.3 00:02:b3:bb:66:98 Intel Corporation 192.168.1.5 00:02:a5:90:c3:e6 Compaq Computer Corporation 192.168.1.6 00:c0:9f:0b:91:d1 QUANTA COMPUTER, INC. 192.168.1.8 00:02:b3:3d:13:5e Intel Corporation 192.168.1.9 00:02:b3:bb:66:bd Intel Corporation 192.168.1.10 00:02:b3:63:cd:16 Intel Corporation 192.168.1.12 00:02:a5:de:c2:17 Compaq Computer Corporation 192.168.1.13 00:02:b3:91:4e:74 Intel Corporation 192.168.1.14 00:02:a5:a9:27:29 Compaq Computer Corporation 192.168.1.17 00:12:3f:ae:c1:df Dell Inc 192.168.1.19 00:90:27:43:c0:57 INTEL CORPORATION 192.168.1.24 00:12:3f:d4:3c:06 Dell Inc 192.168.1.29 00:08:74:c0:89:1d Dell Computer Corp. 192.168.1.34 00:08:74:c0:40:ce Dell Computer Corp. 192.168.1.36 00:0c:29:d0:a2:18 VMware, Inc. 192.168.1.44 00:18:8b:7a:fe:10 Dell 192.168.1.47 00:12:3f:d4:41:86 Dell Inc 192.168.1.105 00:13:72:09:ad:76 Dell Inc. 192.168.1.148 00:90:27:9d:2a:0b INTEL CORPORATION 192.168.1.155 00:10:db:74:d0:52 Juniper Networks, Inc. 192.168.1.189 00:14:38:93:93:7e Hewlett Packard 192.168.1.191 00:01:e6:57:8b:68 Hewlett-Packard Company 192.168.1.195 00:10:83:f2:83:76 HEWLETT-PACKARD COMPANY 192.168.1.196 00:30:c1:ae:31:5c HEWLETT-PACKARD 192.168.1.204 00:11:43:0f:f2:dd DELL INC. 192.168.1.202 00:d0:b7:25:61:6c INTEL CORPORATION 192.168.1.222 00:90:27:9d:48:90 INTEL CORPORATION 192.168.1.192 00:01:e6:27:27:6e Hewlett-Packard Company 192.168.1.234 00:c0:9f:0d:00:9a QUANTA COMPUTER, INC. 192.168.1.251 00:04:27:6a:5d:a1 Cisco Systems, Inc. 192.168.1.250 00:06:d7:55:0f:40 Cisco Systems, Inc. 34 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.5.2: 256 hosts scanned in 1.717 seconds (149.10 hosts/sec). 33 responded
Here arp-scan scans the 192.168.1.0/24 network attached to eth0. It sends an ARP request for each IP address in the attached network (including the network and broadcast addresses) and for each host that responds, it displays the host’s IP address, MAC address and the vendor string corresponding to the MAC address (this is generally determined by the first three bytes of the MAC address).
Any hosts that respond to the ARP request are displayed in the format:
<IP Address> <Hardware Address> <Vendor Details>
The IP address, Hardware address and vendor details are each separated by a single TAB character. There is always a single blank line between the last responding system and the statistics display.
arp-scan will never report the scanning host’s own IP address, because the testing system won’t respond to its own ARP request. This is generally the desired behaviour, as we are almost never interested in the details of the testing system.
Although arp-scan reports the datalink type as EN10MB, this does not necessarily mean that it is 10Mbit Ethernet; it could by any type (10Mbit, 100Mbit, 1Gbit or 802.11a/b/g). EN10MB is the name used by libpcap for all types of Ethernet.
Specifying a list of IP addresses
It is possible to specify a list of IP addresses to send ARP requests for instead of using —localnet to specify all the addresses within the attached network. There are five ways to specify the list of target addresses:
Specify a list of IP addresses as arguments, e.g. arp-scan –interface=eth0 192.168.1.1 192.168.1.2 192.168.1.3
Specify the network in <network>/<bits> format, e.g. arp-scan –interface=eth0 192.168.1.0/24
Specify the network in <network>:<netmask> format, e.g. arp-scan –interface=eth0 192.168.1.0:255.255.255.0
Specify the inclusive address range in <start>-<end> format, e.g. arp-scan –interface=eth0 192.168.1.3-192.168.1.27
Read the list of IP addresses from a file, e.g. arp-scan –interface=eth0 –file=ip-address-list.txt
For the network specifications, <network>/<bits> and <network>:<netmask>, the resulting list of IP addresses includes the network and broadcast addresses. When reading the IP addresses from a file, the file should contain one IP address per line.
It is possible to use hostnames instead of IP addresses, e.g. arp-scan –interface=eth0 orion. This will lookup the IP address for orion with gethostbyname(). It is possible to disable this, so that all arguments must be IP addresses, with the –numeric option. In this case, the inet_pton() function is used to convert the IP address string.
The –numeric option is useful when DNS is not working, where it can avoid long delays caused by failed DNS lookups. If you find that arp-scan is taking a long time to run, this is one of the first things to try.
Don’t forget that the ARP protocol only works on the local Ethernet segment, and cannot be routed. So you cannot use arp-scan to discover hosts behind routers with the exception of remote interfaces on some multi-homed systems, and proxy-arp responses from routers.
Here is an example showing arp-scan being run against the eight addresses in the network 192.168.1.0/29:
$ arp-scan --interface=eth0 192.168.1.0/29 Interface: eth0, datalink type: EN10MB (Ethernet) Starting arp-scan 1.5.2 with 8 hosts (http://www.nta-monitor.com/tools/arp-scan/) 192.168.1.1 00:c0:9f:09:b8:db QUANTA COMPUTER, INC. 192.168.1.3 00:02:b3:bb:66:98 Intel Corporation 192.168.1.4 00:02:b3:bb:5c:09 Intel Corporation 192.168.1.5 00:02:a5:90:c3:e6 Compaq Computer Corporation 192.168.1.6 00:c0:9f:0b:91:d1 QUANTA COMPUTER, INC. 6 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.5.2: 8 hosts scanned in 0.885 seconds (9.04 hosts/sec). 5 responded
# arp-scan -h