Arp-Scan – ARP scanning and fingerprinting tool

Sponsored Link
arp-scan is a command-line tool for system discovery and fingerprinting. It constructs and sends ARP requests to the specified IP addresses, and displays any responses that are received.

arp-scan allows you to:

Send ARP packets to any number of destination hosts, using a configurable output bandwidth or packet rate.

This is useful for system discovery, where you may need to scan large address spaces.

Construct the outgoing ARP packet in a flexible way.

arp-scan gives control of all of the fields in the ARP packet and the fields in the Ethernet frame header.

Decode and display any returned packets.

arp-scan will decode and display any received ARP packets and lookup the vendor using the MAC address.

Fingerprint IP hosts using the arp-fingerprint tool.

ARP (Address Resolution Protocol) is a protocol that determines the link-layer (layer-2) address for a given network layer (layer-3) address. ARP is defined in RFC 826 An Ethernet Address Resolution Protocol.

The ARP protocol is designed to allow it to be used for any link-layer and network-layer protocols. However in practice it is only used for Ethernet (including 802.11 wireless) and IPv4, and we assume these protocols throughout this document. IPv6 uses NDP (neighbour discovery protocol) instead, which is a different protocol.

ARP is a non-routable protocol, and can therefore only be used between systems on the same Ethernet network.

Install arp-scan in ubuntu

Open the terminal and run the following command

sudo apt-get install arp-scan

Using arp-scan

arp-scan can be used to discover IP hosts on the local network. It can discover all hosts, including those that block all IP traffic such as firewalls and systems with ingress filters.

arp-scan works on Ethernet and 802.11 wireless networks. It may also work with token ring and FDDI, but they have not been tested. It does not support serial links such as PPP or SLIP, because ARP is not supported on them.

You will need to be root, or arp-scan must be SUID root, in order to run arp-scan, because the functions that it uses to read and write Ethernet packets require root privilege.

Discovering all hosts on the local network

If the system you are testing from has an address on the network you wish to scan, the simplest way to scan it is with a command similar to:

sudo arp-scan --interface=eth0 --localnet

Here, --interface=eth0 represents the interface to use for scanning, and --localnet makes arp-scan scan all possible IP addresses on the network connected to this interface, as defined by the interface IP address and netmask. You can omit the --interface option, in which case arp-scan will search the system interface list for the lowest numbered, configured up interface (excluding loopback).

The network interface name depends on the operating system you are using, the network type (Ethernet, Wireless Etc), and for some operating systems on the interface card type as well. In this document, the interface name eth0 is used for examples except where a different network type is being discussed.

All arp-scan options have both a long form like --interface=eth0 and a corresponding short form like -I eth0. I always use the long form in this document for clarity.

Here is an example showing arp-scan being run against the local network:

sudo arp-scan --interface=eth0 --localnet

Finding the IP address Conflict

Finding an IP conflict is as simple as a single command, “arp-scan -l”. You may also wish to specify the -I option, which will allow you to pick an interface.

sudo arp-scan -I eth0 -l

You check here for more examples

Sponsored Link

Related posts

Leave a comment

Your email address will not be published. Required fields are marked *