ARP-SCAN(1) | General Commands Manual | ARP-SCAN(1) |
arp-scan - Send ARP requests to target hosts and display responses
arp-scan [options] [hosts...]
Target hosts must be specified on the command line unless the --file or --localnet option is used.
Targets can be IPv4 addresses or hostnames. You can also use CIDR notation (10.0.0.0/24) (network and broadcast included), ranges (10.0.0.1-10.0.0.10), and network:mask (10.0.0.0:255.255.255.0).
arp-scan sends ARP request packets to the specified hosts and displays any responses received. The network interface can be specified with the --interface option. If no interface is specified, arp-scan will pick the lowest numbered, configured up interface (excluding loopback).
arp-scan uses raw sockets, which requires privileges on some systems:
ARP only operates on the local network, and cannot be routed. Although the ARP protocol uses IPv4 addresses, it is not an IP protocol and arp-scan can be used on interfaces without an IPv4 address.
One ARP request is sent for each target. If a host does not respond, the request will be re-sent once more. The number of retries can be changed with the --retry option. Reducing the number of retries will reduce the scanning time at the risk of missing some results due to packet loss.
You can specify the bandwidth that arp-scan will use with the --bandwidth option. The default is 256000 bits per second. Increasing the bandwidth will reduce scanning time, but setting the bandwidth too high may cause a high broadcast packet rate. Another way to specify the packet rate is with the --interval option.
The time for a single-pass scan (i.e. with --retry=1) is:
Where n is the number of hosts, i is the interval (given with --interval or calculated from --bandwidth), t is the timeout (specified with --timeout) and o is the overhead time taken to load the target list and read the MAC/Vendor mapping files. The overhead is normally negligible (typically around 100ms) but can be reduced further by the --quiet option. For small lists of hosts, the timeout value will dominate, but for large lists the packet interval is the most important value.
Any part of the ARP request may be modified through the use of the --arpXXX options as shown in the table below:
ARP Request Packet Options | |||
Field | Bits | Option | Default |
ar$hrd | 16 | --arphrd | 1 (ARPHRD_ETHER) |
ar$pro | 16 | --arppro | 0x0800 |
ar$hln | 8 | --arphln | 6 (ETH_ALEN) |
ar$pln | 8 | --arppln | 4 (IPv4) |
ar$op | 16 | --arpop | 1 (ARPOP_REQUEST) |
ar$sha | 48 | --arpsha | interface h/w address |
ar$spa | 32 | --arpspa | interface IPv4 address |
ar$tha | 48 | --arptha | 00:00:00:00:00:00 |
ar$tpa | 32 | None | target host IPv4 address |
The most common option is --arpspa, which sets the source IPv4 address in the ARP request, allowing the ARP request to use a different source address from the interface address. This allows the use of arp-scan on interfaces with no IPv4 address. Note: Setting ar$spa to the target's IP address causes some operating systems to report an address clash when they receive an ARP request for their own address.
You can also change the values in the Ethernet frame header as shown below:
Ethernet Header Options | |||
Field | Bits | Option | Default |
Dest Address | 48 | --destaddr | ff:ff:ff:ff:ff:ff |
Source Address | 48 | --srcaddr | interface address |
Protocol Type | 16 | --prototype | 0x0806 (ARP) |
The --destaddr option which sets the destination Ethernet address is the only one that is commonly used.
By default, ARP responses are displayed in the following format:
<IPv4 Address> | <MAC Address> | <Vendor Details> |
Where IPv4 Address is the IP address of the responding target, MAC Address is its link-layer address and Vendor Details are the vendor details decoded from the hardware address. The output fields are separated by a single tab character. You can change the output format with the --format option.
The responses are displayed in the order they are received, which can be different from the order the requests were sent because some hosts may respond quicker than others.
The vendor decoding uses the files ieee-oui.txt and mac-vendor.txt. ieee-oui.txt is generated from the IEEE MA-L (OUI), MA-M, MA-S (OUI36) and IAB registries. mac-vendor.txt contains additional MAC to Vendor mappings, and can be used to add custom mappings. get-oui can be used to update ieee-oui.txt with the latest data from the IEEE registries.
All IPv4 hosts should respond to ARP request packets, including hosts with packet filtering such as firewalls. This makes arp-scan a useful tool to discover all active IPv4 hosts on the local network.
Where an option takes a value, that value is specified as a letter in angle brackets. The letter indicates the type of data that is expected:
IP | Host IPv4 address in dotted quad format |
Name | Host name if --resolve option given |
MAC | Host MAC address xx:xx:xx:xx:xx:xx |
HdrMAC | Ethernet source addr if different |
Vendor | Vendor details string |
Padding | Padding after ARP packet in hex if nonzero |
Framing | Framing type if not Ethernet_II |
VLAN | 802.1Q VLAN ID if present |
Proto | ARP protocol if not 0x0800 |
DUP | Packet number for duplicate packets (>1) |
RTT | Round trip time if --rtt option given |
Only the ${ip} and ${mac} fields are available if the --quiet option is specified.
Any characters that are not fields are output verbatim. "\" introduces escapes:
\n | newline |
\r | carriage return |
\t | tab |
\ | suppress special meaning for following character |
You should enclose the --format argument in 'single quotes' to protect special characters from the shell.
Example: --format='${ip}\t${mac}\t${vendor}'
arp-scan will exit with 0 on successful completion or >0 if an error was encountered.
If the --limit option is specified, arp-scan will also exit with a non-zero exit code if the number of responding hosts is less than the specified limit.
Scan the default network using the interface IPv4 configuration to generate the list of hosts to scan.
$ arp-scan --localnet Interface: eth0, type: EN10MB, MAC: 50:65:f3:f0:6d:7c, IPv4: 10.0.0.106 Starting arp-scan 1.9.9 with 256 hosts (https://github.com/royhills/arp-scan) 10.0.0.14 a4:1f:72:7f:25:bb Dell Inc. 10.0.0.22 10:60:4b:73:43:de Hewlett Packard 10.0.0.74 00:0c:29:90:07:e9 VMware, Inc. 10.0.0.75 00:0c:29:66:9e:c2 VMware, Inc. 10.0.0.76 00:0c:29:d0:e1:ea VMware, Inc. 10.0.0.82 9c:b6:54:bb:f3:ec Hewlett Packard 10.0.0.84 00:21:9b:fd:b9:b3 Dell Inc. 10.0.0.85 00:02:b3:eb:5a:f8 Intel Corporation 10.0.0.91 00:9c:02:a5:7b:29 Hewlett Packard 10.0.0.92 d4:ae:52:d0:07:6f Dell Inc. 10.0.0.93 d4:ae:52:d0:04:9b Dell Inc. 10.0.0.96 9c:b6:54:bb:f5:35 Hewlett Packard 10.0.0.97 00:0c:29:0e:95:20 VMware, Inc. 10.0.0.104 50:65:f3:f0:70:a4 Hewlett Packard 15 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.9.9: 256 hosts scanned in 1.532 seconds (167.10 hosts/sec). 14 responded
Scan all hosts in 10.0.0.0/24 using interface eth0. Calculate round-trip time and display in aligned columns using a custom format.
$ arp-scan -I eth0 --rtt --format='|${ip;-15}|${mac}|${rtt;8}|' 10.0.0.0/24 Interface: eth0, type: EN10MB, MAC: 50:65:f3:f0:6d:7c, IPv4: 10.0.0.106 Starting arp-scan 1.9.9 with 256 hosts (https://github.com/royhills/arp-scan) |10.0.0.14 |a4:1f:72:7f:25:bb| 0.280| |10.0.0.22 |10:60:4b:73:43:de| 0.293| |10.0.0.74 |00:0c:29:90:07:e9| 0.380| |10.0.0.75 |00:0c:29:66:9e:c2| 0.311| |10.0.0.76 |00:0c:29:d0:e1:ea| 0.326| |10.0.0.82 |9c:b6:54:bb:f3:ec| 0.216| |10.0.0.84 |00:21:9b:fd:b9:b3| 0.244| |10.0.0.85 |00:02:b3:eb:5a:f8| 0.244| |10.0.0.91 |00:9c:02:a5:7b:29| 0.209| |10.0.0.92 |d4:ae:52:d0:07:6f| 0.289| |10.0.0.93 |d4:ae:52:d0:04:9b| 0.278| |10.0.0.96 |9c:b6:54:bb:f5:35| 0.255| |10.0.0.97 |00:0c:29:0e:95:20| 0.288| |10.0.0.104 |50:65:f3:f0:70:a4| 0.263| 14 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.9.9: 256 hosts scanned in 2.032 seconds (125.98 hosts/sec). 14 responded
--plain removes extraneous output.
$ arp-scan -I eth0 --plain --format='${ip},${mac},"${vendor}"' 10.0.0.0/24 10.0.0.14,a4:1f:72:7f:25:bb,"Dell Inc." 10.0.0.22,10:60:4b:73:43:de,"Hewlett Packard" 10.0.0.74,00:0c:29:90:07:e9,"VMware, Inc." 10.0.0.75,00:0c:29:66:9e:c2,"VMware, Inc." 10.0.0.76,00:0c:29:d0:e1:ea,"VMware, Inc." 10.0.0.82,9c:b6:54:bb:f3:ec,"Hewlett Packard" 10.0.0.84,00:21:9b:fd:b9:b3,"Dell Inc." 10.0.0.85,00:02:b3:eb:5a:f8,"Intel Corporation" 10.0.0.91,00:9c:02:a5:7b:29,"Hewlett Packard" 10.0.0.92,d4:ae:52:d0:07:6f,"Dell Inc." 10.0.0.93,d4:ae:52:d0:04:9b,"Dell Inc." 10.0.0.96,9c:b6:54:bb:f5:35,"Hewlett Packard" 10.0.0.97,00:0c:29:0e:95:20,"VMware, Inc." 10.0.0.104,50:65:f3:f0:70:a4,"Hewlett Packard"
http://www.royhills.co.uk/wiki/ The arp-scan wiki page.
https://github.com/royhills/arp-scan The arp-scan homepage.
November 9, 2022 |