LinuxCommandLibrary

arp-scan

Discover hosts on a local network

TLDR

Scan the current local network

$ arp-scan [[-l|--localnet]]
copy

Scan an IP network with a custom bitmask
$ arp-scan [192.168.1.1]/[24]
copy

Scan an IP network within a custom range
$ arp-scan [127.0.0.0]-[127.0.0.31]
copy

Scan an IP network with a custom net mask
$ arp-scan [10.0.0.0]:[255.255.255.0]
copy

SYNOPSIS

arp-scan [options] [hosts...]

Common usage examples:
arp-scan -I <interface> --localnet
arp-scan --interface=<interface> <IP_range>
arp-scan -f <filename>

PARAMETERS

-I <interface> or --interface=<interface>
    Specify the network interface to use for scanning, e.g., eth0 or wlan0.

-l or --localnet
    Scan all hosts on the local network subnet, derived from the interface IP address and netmask.

-r <count> or --retry=<count>
    Set the number of times to re-send each ARP request to improve reliability.

-t <milliseconds> or --timeout=<milliseconds>
    Define the timeout in milliseconds for each ARP request before considering it failed.

-N or --numeric
    Do not display vendor names for MAC addresses; show only the numeric MAC address.

-v or --verbose
    Increase verbosity, showing progress and additional information during the scan.

-q or --quiet
    Suppress non-essential output, showing only discovered IP and MAC addresses.

-f <filename> or --file=<filename>
    Read a list of hosts or netmasks to scan from the specified file.

-P or --plain
    Output results in a plain format without header, footer, or summary lines.

-S <hardware_address> or --srcaddr=<hardware_address>
    Specify the source hardware (MAC) address to use for outgoing ARP requests.

-s <ip_address> or --srcip=<ip_address>
    Set the source IP address for outgoing ARP requests.

DESCRIPTION

The arp-scan command is a powerful and efficient tool used for discovering active devices on a local Ethernet or Wi-Fi network segment. Unlike traditional network scanners that operate at Layer 3 (IP), arp-scan works directly at Layer 2 (data link layer) by sending ARP (Address Resolution Protocol) requests.

This allows it to identify hosts even if they are configured to block ICMP (ping) requests, or if they haven't fully initialized their IP stack. It maps IP addresses to MAC addresses, often including vendor identification if a MAC address vendor database is available. Its direct interaction with the network interface makes it highly effective for network inventory, security auditing, and troubleshooting.

arp-scan requires root privileges due to its use of raw sockets for crafting and sending ARP packets. It is particularly useful for quickly enumerating all devices on a broadcast domain, such as identifying rogue devices or ensuring all expected devices are online.

CAVEATS

Root Privileges Required: arp-scan needs root or sudo privileges to access raw sockets for crafting and sending ARP packets.

Local Segment Only: It operates at Layer 2, meaning it can only discover devices within the same broadcast domain (local network segment). It cannot scan across routers.

Security Software Detection: Due to its nature of sending numerous ARP requests, arp-scan can be detected by Intrusion Detection Systems (IDS) or network monitoring tools as suspicious activity, potentially flagging it as an ARP flood.

Non-Responding Devices: Devices that do not respond to ARP requests (e.g., some firewalls, devices in sleep mode, or those configured for specific network modes) will not be detected.

<I>KEY USAGE SCENARIOS</I>

arp-scan is invaluable for:
Network Inventory: Quickly identifying all active devices on a local network segment.
Security Auditing: Detecting unauthorized or rogue devices connected to the network.
Troubleshooting: Pinpointing devices that might not respond to higher-level protocols like ICMP but are physically present and online.
MAC-to-IP Mapping: Building a comprehensive map of MAC addresses and their corresponding IP addresses within a subnet.

<I>UNDERSTANDING OUTPUT</I>

The default output of arp-scan typically provides three columns per discovered host: the IP address, the MAC address, and the vendor name derived from the MAC address's OUI (Organizationally Unique Identifier). For example: 192.168.1.1 00:11:22:33:44:55 (Router Vendor).

HISTORY

arp-scan was originally developed by Roy Hills and first released in 2002. It quickly gained popularity in the cybersecurity and network administration communities due to its unique ability to discover hosts directly at the data link layer, bypassing many common Layer 3 defenses. Its development has focused on speed and efficiency for large-scale local network scans, making it a staple tool in network auditing, penetration testing, and basic network troubleshooting scenarios.

SEE ALSO

nmap(1): A comprehensive network scanner for host discovery, port scanning, and OS detection across various protocols., ip(8): A versatile command-line utility for configuring and displaying network interfaces, routing tables, and ARP cache., arp(8): Used to view, add, or delete entries in the system's ARP cache., ping(8): A basic network utility to test connectivity to a host using ICMP echo requests., netstat(8): Displays network connections, routing tables, interface statistics, and multicast memberships.

Copied to clipboard