netdiscover

Scan the IP range on the network interface for active hosts

$ netdiscover -r [172.16.6.0/23] -i [ens244]

netdiscover [-i device] [-r range | -l filename] [-p] [-s time] [-n node] [-f] [-d] [-S] [-P] [-c]

-i device
    Interface to listen on.

-r range
    Scan the given range instead of autodiscovering.

-l filename
    Scan the given list of ranges/hosts from a file.

-p
    Passive mode. Do not send anything, just sniff.

-s time
    Sleep time between each ARP request (seconds).

-n node
    Last octet number for scan range. (2-254). Default: 254

-f
    Enable fast mode. Send ARP requests non-stop (useful for small networks).

-d
    Ignore configuration file.

-S
    Enable sleep time suppression on packet detection

-P
    Print results suitable for parsing.

-c
    Show configuration

netdiscover is a network exploration tool, primarily using ARP (Address Resolution Protocol) requests to discover hosts on a local network. It can be used in both active and passive modes. In active mode, it sends ARP requests to elicit responses from devices. In passive mode, it listens to ARP traffic, which can be useful in environments where sending packets is undesirable or detectable. It's commonly employed for identifying devices, their IP addresses, and their MAC addresses on a network.

netdiscover is useful for auditing network security and is often used by penetration testers. The tool can be particularly useful for finding rogue DHCP servers and locating wireless access points, which may not be immediately apparent on a network. It displays the discovered information, including IP addresses, MAC addresses, vendor details (based on MAC address), and hostnames (if available via reverse DNS lookup).

ARP scanning can be easily detected by intrusion detection systems (IDS) and may trigger security alerts. Passive mode depends on network traffic; no information can be gathered if there is no relevant ARP traffic. Requires root privileges to capture network traffic.

ARP (Address Resolution Protocol) is a protocol used to map an IP network address (a logical address) to a MAC hardware address (a physical address). netdiscover relies heavily on ARP. ARP spoofing/poisoning attacks can potentially disrupt the results provided by netdiscover.

netdiscover has been developed as a tool for network discovery and reconnaissance. It has been available in the Linux landscape and is commonly employed by network administrators and security professionals to map out network devices through ARP requests and passive traffic analysis. Its focus on ARP makes it a lightweight yet powerful tool for initial network assessment.

arp(8), tcpdump(1), nmap(1)