arp-scan

Scan the current local network

$ arp-scan [[-l|--localnet]]

$ arp-scan [192.168.1.1]/[24]

$ arp-scan [127.0.0.0]-[127.0.0.31]

$ arp-scan [10.0.0.0]:[255.255.255.0]

arp-scan [options] target

-A
    Use the ARP probe only mode.

-B
    Use broadcast address for ARP requests.

-c
    Set the number of ARP requests to send per host.

-d
    Read IP addresses from a file.

-D
    Do not use the /etc/ethers file to map MAC addresses to vendor names.

-f
    Read MAC address/vendor mappings from file.

-F
    Force vendor name database rebuild.

-h
    Display help.

-I
    Specify the network interface to use.

-l
    Use hardware address for ARP requests.

-m
    Output MAC address/vendor mappings only.

-n
    Numeric output. Do not resolve hostnames.

-N
    Output only MAC address without any additional information.

-o
    Write output to file.

-p
    Promiscuous mode on. Capture all ARP packets.

-q
    Quiet mode.

-r
    Set the number of retries for unanswered requests.

-R
    Set the retry timeout in milliseconds.

-s
    Set the sender hardware address (MAC address) to use.

-S
    Set the sender IP address to use. Required if -l is used.

-T
    Set the ARP request timeout in milliseconds.

-V
    Print version and exit.

-x
    Generate an output compatible for tcpdump.


    The IP address or network range to scan. Can be a single IP address, a network in CIDR notation (e.g., 192.168.1.0/24), or a range of IP addresses (e.g., 192.168.1.1-192.168.1.254).

The arp-scan command is a network exploration tool that uses the Address Resolution Protocol (ARP) to discover and identify hosts on a local network. Unlike tools that rely on IP addresses, arp-scan operates at the data link layer (layer 2 of the OSI model), sending ARP requests to a range of IP addresses and logging the ARP replies. This allows it to identify devices even if they don't have assigned IP addresses or if their IP addresses are misconfigured. It's particularly useful for identifying rogue devices, troubleshooting network connectivity issues, and performing network inventory. arp-scan can be customized to specify the interface to use, the range of IP addresses to scan, the number of ARP requests to send, and more. Its versatility makes it a valuable tool for network administrators and security professionals.

Unlike ping sweeps which operate at Layer 3, arp-scan works at Layer 2 allowing for more accurate identification of devices on the LAN.

arp-scan requires root privileges (or CAP_NET_RAW capability) to send and receive raw Ethernet frames. On some systems, firewalls or network configurations may block ARP requests, leading to incomplete or inaccurate results. The accuracy of vendor name lookups depends on the completeness and accuracy of the /etc/ethers file or the specified vendor database file. Heavy scanning of a network can generate a significant amount of traffic, potentially impacting network performance.

Basic Scan: arp-scan -l scans all interfaces on the LAN.
Specific Interface: arp-scan -I eth0 192.168.1.0/24 scans the 192.168.1.0/24 network using the eth0 interface.
IP Range: arp-scan 192.168.1.1-192.168.1.100 scans the IP address range from 192.168.1.1 to 192.168.1.100.
Writing Output to a File: arp-scan -l -o results.txt scans the local network and saves the output to the results.txt file.
Using a custom Sender IP: arp-scan -l -S 192.168.1.254 192.168.1.1/24 scans the local network and sets the sender IP address to 192.168.1.254.

ping(8), nmap(1), tcpdump(1)