LinuxCommandLibrary

netdiscover

Discover network devices using ARP requests

TLDR

Scan the IP range on the network interface for active hosts

$ netdiscover -r [172.16.6.0/23] -i [ens244]
copy

SYNOPSIS

netdiscover [-i <device>] [-r <IP_range> | -l <file>] [-p | -s <time>] [-c] [-f] [-n] [-v]

PARAMETERS

-i <device>
    Specifies the network interface to use for scanning (e.g., eth0, wlan0).

-r <IP_range>
    Scans a target IP range in CIDR format (e.g., 192.168.1.0/24).

-l <file>
    Reads a list of IP ranges from a specified file, one per line.

-p
    Enables passive mode. netdiscover will sniff the network for ARP replies without sending any packets.

-s <time>
    Sets the sleep time in milliseconds between each ARP request in active scan mode.

-n
    Disables scanning of the local host IP address.

-c
    Activates continuous scanning, preventing netdiscover from exiting until manually stopped.

-f
    Enables fast mode, which increases the scan speed by sending multiple ARP requests concurrently.

-v
    Increases verbosity of output, showing more details about the scan process.

DESCRIPTION

netdiscover is a powerful open-source active/passive reconnaissance tool designed to scan and discover hosts on a local network. It primarily operates by sending ARP requests to specified IP ranges (active mode) or by passively sniffing network traffic for ARP replies (passive mode). This dual approach allows it to identify online hosts, their IP addresses, MAC addresses, and often their associated vendor information. It's particularly useful for network administrators to map out network devices or for penetration testers to enumerate targets during the initial phases of an engagement. Its simplicity and effectiveness make it a go-to command for quickly understanding the landscape of a given subnet.

CAVEATS

netdiscover typically requires root privileges to perform raw socket operations (ARP requests/sniffing). Active scanning can be noisy and detectable, while passive scanning effectiveness depends on the amount of network traffic visible. It is primarily a host discovery tool, not a port scanner.

USAGE EXAMPLE: ACTIVE SCAN

To perform an active scan on a specific subnet (e.g., 192.168.1.0/24) using the eth0 interface:
sudo netdiscover -i eth0 -r 192.168.1.0/24

USAGE EXAMPLE: PASSIVE SCAN

To passively sniff for hosts on the wlan0 interface, without sending any packets:
sudo netdiscover -p -i wlan0

ETHICAL CONSIDERATIONS

Using netdiscover for unauthorized network scanning can be considered a hostile or intrusive act. Always ensure you have explicit permission from the network owner or administrator before scanning any network you do not own or manage.

HISTORY

netdiscover has been a staple in network analysis and penetration testing distributions like Kali Linux for many years. Its development has focused on providing a simple, quick, and effective method for initial network reconnaissance by combining both active (ARP requests) and passive (ARP sniffing) host discovery techniques. It remains a fundamental tool for understanding the live hosts on a local network.

SEE ALSO

nmap(1), arp-scan(1), ping(8), ip(8)

Copied to clipboard