arp-scan

Scan the current local network

$ arp-scan [[-l|--localnet]]

$ arp-scan [192.168.1.1]/[24]

$ arp-scan [127.0.0.0]-[127.0.0.31]

$ arp-scan [10.0.0.0]:[255.255.255.0]

arp-scan [options] [host-list]

-h, --help
    Display summary of options

--version
    Print version information

-v, --verbose
    Increase verbosity level

-q, --quiet
    Suppress warning messages

-l, --localnet
    Scan local subnet using interface info

-I if, --interface=if
    Specify network interface

-e hwaddr, --lladdr=hwaddr
    Set source MAC address

-i ipaddr, --ipaddr=ipaddr
    Set source IP address

-R num, --retry=num
    Set number of retries (default 3)

-T ms, --timeout=ms
    Set ARP reply timeout in ms (default 500)

-t usecs, --interval=usecs
    Set inter-packet interval in microseconds

--bandwidth=bps
    Set bandwidth limit in bits/sec

-M num, --maxhosts=num
    Set max concurrent batch size

-f file, --file=file
    Read targets from host list file

-r file, --range=file
    Read networks from range file

--random
    Randomise host scan order

-s string, --separator=string
    Set output field separator

--vendor
    Display MAC vendor from database

-n
    Do not resolve IP to hostname

-D
    Do not attempt DNS lookups

-z
    Zero-pad MAC addresses

-x
    Display MAC addresses in hex format

--arptimeout=ms
    Set initial ARP request timeout

--backoff=num
    Set backoff factor for retries

arp-scan is a fast, lightweight utility for discovering hosts on a local area network (LAN) by sending ARP (Address Resolution Protocol) Request packets. Unlike ICMP-based tools like ping, which can be blocked by firewalls, ARP operates at Layer 2 and thus works reliably on local networks where hosts are directly reachable.

It scans specified IP addresses or networks, listens for ARP Reply packets, and outputs the responding hosts' IP and MAC addresses. This makes it ideal for network inventory, security audits, and detecting unauthorized devices ('rogue' hosts).

Key advantages include speed (thanks to optimized packet timing), low bandwidth usage, and the ability to decode MAC vendor information using an included database. It requires root privileges to send raw packets and is limited to local subnets (broadcast domains), as ARP does not cross routers.

Output includes IP, MAC, and optionally vendor/device details. It's cross-platform but optimized for Linux/Unix. Widely used in pentesting and admin tasks, often as a quicker alternative to nmap's ARP scan.

Requires root privileges for raw socket access.
Must run on local network (ARP doesn't cross routers).
High scan rates may flood network or trigger IDS.
Vendor DB needs periodic updates via ieee-data package.

arp-scan -l : Scan local network.
arp-scan 192.168.1.0/24 : Scan subnet.
arp-scan -I eth0 --localnet : Interface-specific local scan.
arp-scan --file=targets.txt --vendor : Scan list with vendors.

Default: 192.168.1.1 00:11:22:33:44:55 hostname (vendor)
Compact, tab-separated for parsing.

Developed by Roy Hills starting in 2001 as a faster alternative to existing ARP scanners. First public release around 2006 under GPLv2. Actively maintained; version 1.10.0 in 2023 added IPv6 support and improved performance. Popular in Linux distros since Ubuntu 6.06.

nmap(1), arp(8), netdiscover(1), ettercap(8), ip(8)