arping

Ping a host by ARP request packets

$ arping [host_ip]

$ arping -I [interface] [host_ip]

$ arping -f [host_ip]

$ arping -c [count] [host_ip]

$ arping -U [ip_to_broadcast]

$ arping -D -w [3] [ip_to_check]

arping [-0aAbBdDfgNqQRrUv] [-c count] [-i interface] [-I IP_address] [-s source_IP_address] [-t timeout] destination

destination
    The IP address or MAC address to target for ARP requests.

-c count
    Stop after sending count ARP requests.

-i interface
    Specify the network interface to use for sending packets (e.g., eth0).

-I IP_address
    Set the source IP address for ARP requests. Useful for duplicate IP address detection or spoofing.

-s source_IP_address
    Similar to -I. Specify the source IP address to use.

-t timeout
    Specify a timeout in seconds. The command will exit after this duration.

-q
    Quiet output. Display only summary information.

-U
    Unsolicited ARP mode (Gratuitous ARP). Send an ARP probe to check for duplicate IP addresses or to update ARP caches on other devices.

-D
    Duplicate Address Detection (DAD) mode. Check if the destination IP address is already in use on the network.

-b
    Broadcast mode. Send ARP requests to the broadcast MAC address (FF:FF:FF:FF:FF:FF) rather than the unicast MAC address (if known).

-A
    ARP answer mode. Listen for ARP requests and reply to them. Can be used for testing or to impersonate a host.

arping is a utility for sending ARP (Address Resolution Protocol) requests to hosts on a local network segment. Unlike ping which uses ICMP at Layer 3, arping operates at Layer 2, making it useful for discovering devices directly connected to the local broadcast domain.

It can be used to determine if a specific IP address is in use, resolve an IP to a MAC address, or detect duplicate IP addresses on a network. Since ARP requests are broadcast, arping can find hosts even if they are configured to block ICMP echo requests. It's often employed for network troubleshooting, security auditing, and quickly mapping IP addresses to their corresponding MAC addresses without relying on a routing table. Due to its low-level operation, arping typically requires root privileges.

arping typically requires root or sudo privileges to send and receive raw ARP packets.
It operates at Layer 2 (Data Link Layer) and thus can only communicate within the local broadcast domain. It cannot traverse routers.
Some network security devices or firewalls might rate-limit or drop ARP requests, impacting its effectiveness.

The -D option is specifically designed for Duplicate Address Detection. When used with an IP address (e.g., arping -D 192.168.1.100), it sends ARP probes to verify if that IP address is already active on the local network, helping to prevent IP conflicts before assigning an address.

The -U option allows sending Gratuitous ARP packets. These packets are not responses to a request but are sent proactively by a device to announce its IP-to-MAC mapping to all devices on the network. This is useful for updating ARP caches on switches and hosts when an IP address changes, during failover events, or when a device first comes online.

The arping utility has been a staple on Linux systems for many years, often included as part of the iproute2 suite or available as a standalone tool. Its core functionality for low-level network discovery and troubleshooting using the ARP protocol has remained consistent, serving as a fundamental tool for network administrators and security professionals.

ping(8), arp(8), ip(8), nmap(1)