ARP-SCAN(1) | General Commands Manual | ARP-SCAN(1) |
arp-scan - The ARP scanner
arp-scan [options] [hosts...]
Target hosts must be specified on the command line unless the --file option is given, in which case the targets are read from the specified file instead, or the --localnet option is used, in which case the targets are generated from the network interface IP address and netmask.
You will need to be root, or arp-scan must be SUID root, in order to run arp-scan, because the functions that it uses to read and write packets require root privilege.
The target hosts can be specified as IP addresses or hostnames. You can also specify the target as IPnetwork/bits (e.g. 192.168.1.0/24) to specify all hosts in the given network (network and broadcast addresses included), IPstart-IPend (e.g. 192.168.1.3-192.168.1.27) to specify all hosts in the inclusive range, or IPnetwork:NetMask (e.g. 192.168.1.0:255.255.255.0) to specify all hosts in the given network and mask.
arp-scan sends ARP packets to hosts on the local network and displays any responses that are received. The network interface to use can be specified with the --interface option. If this option is not present, arp-scan will search the system interface list for the lowest numbered, configured up interface (excluding loopback). By default, the ARP packets are sent to the Ethernet broadcast address, ff:ff:ff:ff:ff:ff, but that can be changed with the --destaddr option.
The target hosts to scan may be specified in one of three ways: by specifying the targets on the command line; by specifying a file containing the targets with the --file option; or by specifying the --localnet option which causes all possible hosts on the network attached to the interface (as defined by the interface address and mask) to be scanned. For hosts specified on the command line, or with the --file option, you can use either IP addresses or hostnames. You can also use network specifications IPnetwork/bits, IPstart-IPend, or IPnetwork:NetMask.
The list of target hosts is stored in memory. Each host in this list uses 28 bytes of memory, so scanning a Class-B network (65,536 hosts) requires about 1.75MB of memory for the list, and scanning a Class-A (16,777,216 hosts) requires about 448MB.
arp-scan supports Ethernet and 802.11 wireless networks. It could also support token ring and FDDI, but they have not been tested. It does not support serial links such as PPP or SLIP, because ARP is not supported on them.
The ARP protocol is a layer-2 (datalink layer) protocol that is used to determine a host's layer-2 address given its layer-3 (network layer) address. ARP was designed to work with any layer-2 and layer-3 address format, but the most common use is to map IP addresses to Ethernet hardware addresses, and this is what arp-scan supports. ARP only operates on the local network, and cannot be routed. Although the ARP protocol makes use of IP addresses, it is not an IP-based protocol and arp-scan can be used on an interface that is not configured for IP.
ARP is only used by IPv4 hosts. IPv6 uses NDP (neighbour discovery protocol) instead, which is a different protocol and is not supported by arp-scan.
One ARP packet is sent for each for each target host, with the target protocol address (the ar$tpa field) set to the IP address of this host. If a host does not respond, then the ARP packet will be re-sent once more. The maximum number of retries can be changed with the --retry option. Reducing the number of retries will reduce the scanning time at the possible risk of missing some results due to packet loss.
You can specify the bandwidth that arp-scan will use for the outgoing ARP packets with the --bandwidth option. By default, it uses a bandwidth of 256000 bits per second. Increasing the bandwidth will reduce the scanning time, but setting the bandwidth too high may result in an ARP storm which can disrupt network operation. Also, setting the bandwidth too high can send packets faster than the network interface can transmit them, which will eventually fill the kernel's transmit buffer resulting in the error message: No buffer space available. Another way to specify the outgoing ARP packet rate is with the --interval option, which is an alternative way to modify the same underlying parameter.
The time taken to perform a single-pass scan (i.e. with --retry=1) is given by:
time = n*i + t + o
Where n is the number of hosts in the list, i is the time interval between packets (specified with --interval, or calculated from --bandwidth), t is the timeout value (specified with --timeout) and o is the overhead time taken to load the targets into the list and read the MAC/Vendor mapping files. For small lists of hosts, the timeout value will dominate, but for large lists the packet interval is the most important value.
With 65,536 hosts, the default bandwidth of 256,000 bits/second (which results in a packet interval of 2ms), the default timeout of 500ms, and a single pass ( --retry=1), and assuming an overhead of 1 second, the scan would take 65536*0.002 + 0.5 + 1 = 132.57 seconds, or about 2 minutes 13 seconds.
Any part of the outgoing ARP packet may be modified through the use of the various --arpXXX options. The use of some of these options may make the outgoing ARP packet non RFC compliant. Different operating systems handle the various non standard ARP packets in different ways, and this may be used to fingerprint these systems. See arp-fingerprint(1) for information about a script which uses these options to fingerprint the target operating system.
The table below summarises the options that change the outgoing ARP packet. In this table, the Field column gives the ARP packet field name from RFC 826, Bits specifies the number of bits in the field, Option shows the arp-scan option to modify this field, and Notes gives the default value and any other notes.
Outgoing ARP Packet Options | |||
Field | Bits | Option | Notes |
ar$hrd | 16 | --arphrd | Default is 1 (ARPHRD_ETHER) |
ar$pro | 16 | --arppro | Default is 0x0800 |
ar$hln | 8 | --arphln | Default is 6 (ETH_ALEN) |
ar$pln | 8 | --arppln | Default is 4 (IPv4) |
ar$op | 16 | --arpop | Default is 1 (ARPOP_REQUEST) |
ar$sha | 48 | --arpsha | Default is interface h/w address |
ar$spa | 32 | --arpspa | Default is interface IP address |
ar$tha | 48 | --arptha | Default is zero (00:00:00:00:00:00) |
ar$tpa | 32 | None | Set to the target host IP address |
The most commonly used outgoing ARP packet option is --arpspa, which sets the source IP address in the ARP packet. This option allows the outgoing ARP packet to use a different source IP address from the outgoing interface address. With this option it is possible to use arp-scan on an interface with no IP address configured, which can be useful if you want to ensure that the testing host does not interact with the network being tested.
Warning: Setting ar$spa to the destination IP address can disrupt some operating systems, as they assume there is an IP address clash if they receive an ARP request for their own address.
It is also possible to change the values in the Ethernet frame header that precedes the ARP packet in the outgoing packets. The table below summarises the options that change values in the Ethernet frame header.
Outgoing Ethernet Frame Options | |||
Field | Bits | Option | Notes |
Dest Address | 48 | --destaddr | Default is ff:ff:ff:ff:ff:ff |
Source Address | 48 | --srcaddr | Default is interface address |
Protocol Type | 16 | --prototype | Default is 0x0806 |
The most commonly used outgoing Ethernet frame option is --destaddr, which sets the destination Ethernet address for the ARP packet. --prototype is not often used, because it will cause the packet to be interpreted as a different Ethernet protocol.
Any ARP responses that are received are displayed in the following format:
<IP Address> | <Hardware Address> | <Vendor Details> |
Where IP Address is the IP address of the responding target, Hardware Address is its Ethernet hardware address (also known as the MAC address) and Vendor Details are the vendor details, decoded from the hardware address. The output fields are separated by a single tab character.
The responses are displayed in the order they are received, which is not always the same order as the requests were sent because some hosts may respond faster than others.
The vendor decoding uses the files ieee-oui.txt, ieee-iab.txt and mac-vendor.txt, which are supplied with arp-scan. The ieee-oui.txt and ieee-iab.txt files are generated from the OUI and IAB data on the IEEE website at http://standards-oui.ieee.org/oui/oui.txt and http://standards.ieee.org/regauth/oui/iab.txt. The Perl scripts get-oui and get-iab, which are included in the arp-scan package, can be used to update these files with the latest data from the IEEE website. The mac-vendor.txt file contains other MAC to Vendor mappings that are not covered by the IEEE OUI and IAB files, and can be used to add custom mappings.
Almost all hosts that support IP will respond to arp-scan if they receive an ARP packet with the target protocol address (ar$tpa) set to their IP address. This includes firewalls and other hosts with IP filtering that drop all IP traffic from the testing system. For this reason, arp-scan is a useful tool to quickly determine all the active IP hosts on a given Ethernet network segment.
Where an option takes a value, that value is specified as a letter in angle brackets. The letter indicates the type of data that is expected:
The example below shows arp-scan being used to scan the network 192.168.0.0/24 using the network interface eth0.
$ arp-scan --interface=eth0 192.168.0.0/24 Interface: eth0, datalink type: EN10MB (Ethernet) Starting arp-scan 1.4 with 256 hosts (http://www.nta-monitor.com/tools-resources/security-tools/arp-scan/) 192.168.0.1 00:c0:9f:09:b8:db QUANTA COMPUTER, INC. 192.168.0.3 00:02:b3:bb:66:98 Intel Corporation 192.168.0.5 00:02:a5:90:c3:e6 Compaq Computer Corporation 192.168.0.6 00:c0:9f:0b:91:d1 QUANTA COMPUTER, INC. 192.168.0.12 00:02:b3:46:0d:4c Intel Corporation 192.168.0.13 00:02:a5:de:c2:17 Compaq Computer Corporation 192.168.0.87 00:0b:db:b2:fa:60 Dell ESG PCBA Test 192.168.0.90 00:02:b3:06:d7:9b Intel Corporation 192.168.0.105 00:13:72:09:ad:76 Dell Inc. 192.168.0.153 00:10:db:26:4d:52 Juniper Networks, Inc. 192.168.0.191 00:01:e6:57:8b:68 Hewlett-Packard Company 192.168.0.251 00:04:27:6a:5d:a1 Cisco Systems, Inc. 192.168.0.196 00:30:c1:5e:58:7d HEWLETT-PACKARD 13 packets received by filter, 0 packets dropped by kernel Ending arp-scan: 256 hosts scanned in 3.386 seconds (75.61 hosts/sec). 13 responded
This next example shows arp-scan being used to scan the local network after configuring the network interface with DHCP using pump.
# pump # ifconfig eth0 eth0 Link encap:Ethernet HWaddr 00:D0:B7:0B:DD:C7
inet addr:10.0.84.178 Bcast:10.0.84.183 Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:46335 errors:0 dropped:0 overruns:0 frame:0
TX packets:1542776 errors:0 dropped:0 overruns:0 carrier:0
collisions:1644 txqueuelen:1000
RX bytes:6184146 (5.8 MiB) TX bytes:348887835 (332.7 MiB) # arp-scan --localnet Interface: eth0, datalink type: EN10MB (Ethernet) Starting arp-scan 1.4 with 8 hosts (http://www.nta-monitor.com/tools-resources/security-tools/arp-scan/) 10.0.84.179 00:02:b3:63:c7:57 Intel Corporation 10.0.84.177 00:d0:41:08:be:e8 AMIGO TECHNOLOGY CO., LTD. 10.0.84.180 00:02:b3:bd:82:9b Intel Corporation 10.0.84.181 00:02:b3:1f:73:da Intel Corporation 4 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.4: 8 hosts scanned in 0.820 seconds (9.76 hosts/sec). 4 responded
Roy Hills <Roy.Hills@nta-monitor.com>
RFC 826 - An Ethernet Address Resolution Protocol
http://www.nta-monitor.com/wiki/ The arp-scan wiki page.
https://github.com/royhills/arp-scan The arp-scan homepage.
August 13, 2016 |