1ARP-SCAN(1)                 General Commands Manual                ARP-SCAN(1)
2
3
4

NAME

6       arp-scan - The ARP scanner
7

SYNOPSIS

9       arp-scan [options] [hosts...]
10
11       Target  hosts  must  be specified on the command line unless the --file
12       option is given, in which case the targets are read from the  specified
13       file  instead, or the --localnet option is used, in which case the tar‐
14       gets are generated from the network interface IP address and netmask.
15
16       You will need to be root, or arp-scan must be SUID root,  in  order  to
17       run  arp-scan,  because  the  functions  that it uses to read and write
18       packets require root privilege.
19
20       The target hosts can be specified as IP addresses  or  hostnames.   You
21       can  also specify the target as IPnetwork/bits (e.g. 192.168.1.0/24) to
22       specify all hosts in the given network (network and broadcast addresses
23       included), IPstart-IPend (e.g. 192.168.1.3-192.168.1.27) to specify all
24       hosts   in   the   inclusive   range,   or   IPnetwork:NetMask    (e.g.
25       192.168.1.0:255.255.255.0)  to  specify  all hosts in the given network
26       and mask.
27

DESCRIPTION

29       arp-scan sends ARP packets to hosts on the local network  and  displays
30       any  responses  that  are received. The network interface to use can be
31       specified with the --interface option. If this option is  not  present,
32       arp-scan will search the system interface list for the lowest numbered,
33       configured up interface (excluding  loopback).   By  default,  the  ARP
34       packets  are sent to the Ethernet broadcast address, ff:ff:ff:ff:ff:ff,
35       but that can be changed with the --destaddr option.
36
37       The target hosts to scan may be specified in  one  of  three  ways:  by
38       specifying  the  targets on the command line; by specifying a file con‐
39       taining the targets with  the  --file  option;  or  by  specifying  the
40       --localnet  option  which  causes  all  possible  hosts  on the network
41       attached to the interface (as defined  by  the  interface  address  and
42       mask)  to  be scanned. For hosts specified on the command line, or with
43       the --file option, you can use either IP addresses or  hostnames.   You
44       can  also  use network specifications IPnetwork/bits, IPstart-IPend, or
45       IPnetwork:NetMask.
46
47       The list of target hosts is stored in memory.  Each host in  this  list
48       uses  28  bytes of memory, so scanning a Class-B network (65,536 hosts)
49       requires about 1.75MB of memory for the list, and  scanning  a  Class-A
50       (16,777,216 hosts) requires about 448MB.
51
52       arp-scan  supports Ethernet and 802.11 wireless networks. It could also
53       support token ring and FDDI, but they have not been tested. It does not
54       support  serial links such as PPP or SLIP, because ARP is not supported
55       on them.
56
57       The ARP protocol is a layer-2 (datalink layer) protocol that is used to
58       determine  a  host's  layer-2 address given its layer-3 (network layer)
59       address. ARP was designed to work with any layer-2 and layer-3  address
60       format,  but  the  most  common  use is to map IP addresses to Ethernet
61       hardware addresses, and this is what arp-scan supports. ARP only  oper‐
62       ates  on the local network, and cannot be routed. Although the ARP pro‐
63       tocol makes use of IP addresses, it is not  an  IP-based  protocol  and
64       arp-scan can be used on an interface that is not configured for IP.
65
66       ARP is only used by IPv4 hosts. IPv6 uses NDP (neighbour discovery pro‐
67       tocol) instead, which is a different protocol and is not  supported  by
68       arp-scan.
69
70       One  ARP  packet is sent for each for each target host, with the target
71       protocol address (the ar$tpa field) set to the IP address of this host.
72       If  a  host  does not respond, then the ARP packet will be re-sent once
73       more.  The maximum number of retries can be changed  with  the  --retry
74       option.   Reducing  the number of retries will reduce the scanning time
75       at the possible risk of missing some results due to packet loss.
76
77       You can specify the bandwidth that arp-scan will use for  the  outgoing
78       ARP  packets  with the --bandwidth option.  By default, it uses a band‐
79       width of 256000 bits per second. Increasing the bandwidth  will  reduce
80       the  scanning time, but setting the bandwidth too high may result in an
81       ARP storm which can disrupt network operation.  Also, setting the band‐
82       width  too  high can send packets faster than the network interface can
83       transmit them, which will eventually fill the kernel's transmit  buffer
84       resulting in the error message: No buffer space available.  Another way
85       to specify the outgoing ARP packet rate is with the --interval  option,
86       which is an alternative way to modify the same underlying parameter.
87
88       The  time  taken to perform a single-pass scan (i.e. with --retry=1) is
89       given by:
90
91       time = n*i + t + o
92
93       Where n is the number of hosts in the list,  i  is  the  time  interval
94       between  packets (specified with --interval, or calculated from --band‐
95       width), t is the timeout value (specified with --timeout) and o is  the
96       overhead  time  taken  to  load  the targets into the list and read the
97       MAC/Vendor mapping files.  For small lists of hosts, the timeout  value
98       will  dominate,  but  for  large  lists the packet interval is the most
99       important value.
100
101       With 65,536 hosts, the default bandwidth of 256,000 bits/second  (which
102       results in a packet interval of 2ms), the default timeout of 500ms, and
103       a single pass ( --retry=1), and assuming an overhead of 1  second,  the
104       scan would take 65536*0.002 + 0.5 + 1 = 132.57 seconds, or about 2 min‐
105       utes 13 seconds.
106
107       Any part of the outgoing ARP packet may be modified through the use  of
108       the  various  --arpXXX  options.   The use of some of these options may
109       make the outgoing ARP packet non  RFC  compliant.  Different  operating
110       systems  handle the various non standard ARP packets in different ways,
111       and this may be used to fingerprint  these  systems.   See  arp-finger‐
112       print(1)  for  information  about  a script which uses these options to
113       fingerprint the target operating system.
114
115       The table below summarises the options that  change  the  outgoing  ARP
116       packet. In this table, the Field column gives the ARP packet field name
117       from RFC 826, Bits specifies the number of bits in  the  field,  Option
118       shows  the  arp-scan  option  to modify this field, and Notes gives the
119       default value and any other notes.
120
121       ┌───────────────────────────────────────────────────────────────┐
122Outgoing ARP Packet Options                   
123       ├───────┬──────┬──────────┬─────────────────────────────────────┤
124Field  Bits Option   Notes                               
125       ├───────┼──────┼──────────┼─────────────────────────────────────┤
126       │ar$hrd │ 16   │ --arphrd │ Default is 1 (ARPHRD_ETHER)         │
127       │ar$pro │ 16   │ --arppro │ Default is 0x0800                   │
128       │ar$hln │ 8    │ --arphln │ Default is 6 (ETH_ALEN)             │
129       │ar$pln │ 8    │ --arppln │ Default is 4 (IPv4)                 │
130       │ar$op  │ 16   │ --arpop  │ Default is 1 (ARPOP_REQUEST)        │
131       │ar$sha │ 48   │ --arpsha │ Default is interface h/w address    │
132       │ar$spa │ 32   │ --arpspa │ Default is interface IP address     │
133       │ar$tha │ 48   │ --arptha │ Default is zero (00:00:00:00:00:00) │
134       │ar$tpa │ 32   │ None     │ Set to the target host IP address   │
135       └───────┴──────┴──────────┴─────────────────────────────────────┘
136       The most commonly used outgoing ARP packet option  is  --arpspa,  which
137       sets  the  source IP address in the ARP packet.  This option allows the
138       outgoing ARP packet to use a different source IP address from the  out‐
139       going  interface  address.  With this option it is possible to use arp-
140       scan on an interface with no IP address configured, which can be useful
141       if  you want to ensure that the testing host does not interact with the
142       network being tested.
143
144       Warning: Setting ar$spa to the destination IP address can disrupt  some
145       operating  systems, as they assume there is an IP address clash if they
146       receive an ARP request for their own address.
147
148       It is also possible to change the values in the Ethernet  frame  header
149       that  precedes  the ARP packet in the outgoing packets. The table below
150       summarises the options that change values in the Ethernet frame header.
151
152       ┌───────────────────────────────────────────────────────────────────┐
153Outgoing Ethernet Frame Options                   
154       ├───────────────┬──────┬─────────────┬──────────────────────────────┤
155Field          Bits Option      Notes                        
156       ├───────────────┼──────┼─────────────┼──────────────────────────────┤
157       │Dest Address   │ 48   │ --destaddr  │ Default is ff:ff:ff:ff:ff:ff │
158       │Source Address │ 48   │ --srcaddr   │ Default is interface address │
159       │Protocol Type  │ 16   │ --prototype │ Default is 0x0806            │
160       └───────────────┴──────┴─────────────┴──────────────────────────────┘
161       The most commonly used outgoing Ethernet frame  option  is  --destaddr,
162       which sets the destination Ethernet address for the ARP packet.  --pro‐
163       totype is not often used, because it will cause the packet to be inter‐
164       preted as a different Ethernet protocol.
165
166       Any ARP responses that are received are displayed in the following for‐
167       mat:
168
169       <IP Address>   <Hardware Address>   <Vendor Details>
170
171       Where IP Address is the IP address of the responding  target,  Hardware
172       Address  is  its  Ethernet  hardware  address  (also  known  as the MAC
173       address) and Vendor Details are the vendor details,  decoded  from  the
174       hardware  address.   The  output  fields  are separated by a single tab
175       character.
176
177       The responses are displayed in the order they are  received,  which  is
178       not  always the same order as the requests were sent because some hosts
179       may respond faster than others.
180
181       The vendor decoding uses the files ieee-oui.txt, ieee-iab.txt and  mac-
182       vendor.txt,  which  are  supplied  with arp-scan.  The ieee-oui.txt and
183       ieee-iab.txt files are generated from the OUI and IAB data on the  IEEE
184       website  at  http://standards-oui.ieee.org/oui/oui.txt and http://stan
185       dards.ieee.org/regauth/oui/iab.txt.  The Perl scripts get-oui and  get-
186       iab,  which are included in the arp-scan package, can be used to update
187       these files with the latest data from the IEEE website.   The  mac-ven‐
188       dor.txt file contains other MAC to Vendor mappings that are not covered
189       by the IEEE OUI and IAB files, and can be used to add custom mappings.
190
191       Almost all hosts that support IP  will  respond  to  arp-scan  if  they
192       receive  an ARP packet with the target protocol address (ar$tpa) set to
193       their IP address.  This includes firewalls and other hosts with IP fil‐
194       tering  that drop all IP traffic from the testing system. For this rea‐
195       son, arp-scan is a useful tool to quickly determine all the  active  IP
196       hosts on a given Ethernet network segment.
197

OPTIONS

199       Where  an  option takes a value, that value is specified as a letter in
200       angle brackets. The letter indicates the type of data that is expected:
201
202       <s>    A character string, e.g. --file=hostlist.txt.
203
204       <i>    An integer, which can be specified as a decimal number or  as  a
205              hexadecimal  number  if preceeded with 0x, e.g. --arppro=2048 or
206              --arpro=0x0800.
207
208       <f>    A floating point decimal number, e.g. --backoff=1.5.
209
210       <m>    An Ethernet MAC address, which can be specified  either  in  the
211              format  01:23:45:67:89:ab,  or  as 01-23-45-67-89-ab. The alpha‐
212              betic hex characters may be either upper  or  lower  case.  E.g.
213              --arpsha=01:23:45:67:89:ab.
214
215       <a>    An IPv4 address, e.g. --arpspa=10.0.0.1
216
217       <h>    Binary  data specified as a hexadecimal string, which should not
218              include a leading 0x.  The  alphabetic  hex  characters  may  be
219              either upper or lower case. E.g. --padding=aaaaaaaaaaaa
220
221       <x>    Something else. See the description of the option for details.
222
223       --help or -h
224              Display this usage message and exit.
225
226       --file=<s> or -f <s>
227              Read  hostnames  or addresses from the specified file instead of
228              from the command line. One name or IP address per line. Use  "-"
229              for standard input.
230
231       --localnet or -l
232              Generate  addresses  from  network interface configuration.  Use
233              the network interface IP address and network  mask  to  generate
234              the  list  of  target host addresses.  The list will include the
235              network and broadcast addresses,  so  an  interface  address  of
236              10.0.0.1  with  netmask  255.255.255.0 would generate 256 target
237              hosts from 10.0.0.0 to 10.0.0.255 inclusive.  If  you  use  this
238              option, you cannot specify the --file option or specify any tar‐
239              get hosts on the command line.  The interface specifications are
240              taken  from  the  interface that arp-scan will use, which can be
241              changed with the --interface option.
242
243       --retry=<i> or -r <i>
244              Set total number of attempts per host to <i>, default=2.
245
246       --timeout=<i> or -t <i>
247              Set initial per host timeout to <i> ms, default=500.  This time‐
248              out is for the first packet sent to each host.  subsequent time‐
249              outs are multiplied by the backoff  factor  which  is  set  with
250              --backoff.
251
252       --interval=<x> or -i <x>
253              Set  minimum packet interval to <x>.  This controls the outgoing
254              bandwidth usage by limiting the rate at  which  packets  can  be
255              sent.  The  packet interval will be no smaller than this number.
256              If you want to use up to a given bandwidth, then it is easier to
257              use  the  --bandwidth option instead.  The interval specified is
258              in milliseconds  by  default,  or  in  microseconds  if  "u"  is
259              appended to the value.
260
261       --bandwidth=<x> or -B <x>
262              Set  desired  outbound  bandwidth  to  <x>, default=256000.  The
263              value is in bits per second by default. If you append "K" to the
264              value,  then  the  units are kilobits per sec; and if you append
265              "M" to the value, the units are megabits per  second.   The  "K"
266              and  "M"  suffixes represent the decimal, not binary, multiples.
267              So 64K is 64000, not 65536.  You cannot specify both  --interval
268              and  --bandwidth  because they are just different ways to change
269              the same underlying parameter.
270
271       --backoff=<f> or -b <f>
272              Set timeout backoff factor to <f>, default=1.50.   The  per-host
273              timeout  is multiplied by this factor after each timeout. So, if
274              the number of retries is 3,  the  initial  per-host  timeout  is
275              500ms and the backoff factor is 1.5, then the first timeout will
276              be 500ms, the second 750ms and the third 1125ms.
277
278       --verbose or -v
279              Display verbose progress  messages.   Use  more  than  once  for
280              greater effect:
281
282              1  - Display the network address and mask used when the --local‐
283              net option is specified, display  any  nonzero  packet  padding,
284              display  packets received from unknown hosts, and show when each
285              pass through the list completes.
286
287              2 - Show each packet sent and received, when entries are removed
288              from  the list, the pcap filter string, and counts of MAC/Vendor
289              mapping entries.
290
291              3 - Display the host list before scanning starts.
292
293       --version or -V
294              Display program version and exit.
295
296       --random or -R
297              Randomise the host list.  This option randomises  the  order  of
298              the  hosts  in the host list, so the ARP packets are sent to the
299              hosts in a random order. It uses the Knuth shuffle algorithm.
300
301       --randomseed=<i>
302              Use <i> to seed the pseudo random number generator.  This option
303              seeds the PRNG with the specified number, which can be useful if
304              you want to ensure that the random host list is reproducable. By
305              default,  the  PRNG  is seeded with an unpredictable value. This
306              option is only effective in conjunction with the  --random  (-R)
307              option.
308
309       --numeric or -N
310              IP  addresses  only,  no hostnames.  With this option, all hosts
311              must be specified as IP addresses. Hostnames are not  permitted.
312              No DNS lookups will be performed.
313
314       --snap=<i> or -n <i>
315              Set the pcap snap length to <i>. Default=64.  This specifies the
316              frame capture length. This length includes the data-link header.
317              The default is normally sufficient.
318
319       --interface=<s> or -I <s>
320              Use  network  interface  <s>.   If this option is not specified,
321              arp-scan will search the system interface list  for  the  lowest
322              numbered,  configured  up  interface  (excluding loopback).  The
323              interface specified must support ARP.
324
325       --quiet or -q
326              Only display minimal output.  No  protocol  decoding.   If  this
327              option  is  specified,  then only the IP address and MAC address
328              are displayed for each responding host.  No protocol decoding is
329              performed and the OUI mapping files are not used.
330
331       --plain or -x
332              Display plain output showing only responding hosts.  This option
333              supresses the printing of the header and footer text,  and  only
334              displays one line for each responding host. Useful if the output
335              will be parsed by a script.
336
337       --ignoredups or -g
338              Don't display duplicate packets.  By default, duplicate  packets
339              are displayed and are flagged with "(DUP: n)".
340
341       --ouifile=<s> or -O <s>
342              Use  IEEE  Ethernet  OUI  to  vendor  mapping file <s>.  If this
343              option is not specified, the default filename is ieee-oui.txt in
344              the  current  directory.  If  that  is  not found, then the file
345              /usr/local/share/arp-scan/ieee-oui.txt is used.
346
347       --iabfile=<s> or -O <s>
348              Use IEEE Ethernet IAB to  vendor  mapping  file  <s>.   If  this
349              option is not specified, the default filename is ieee-iab.txt in
350              the current directory. If that  is  not  found,  then  the  file
351              /usr/local/share/arp-scan/ieee-iab.txt is used.
352
353       --macfile=<s> or -O <s>
354              Use  custom  Ethernet  MAC  to vendor mapping file <s>.  If this
355              option is not specified, the default filename is  mac-vendor.txt
356              in  the  current  directory. If that is not found, then the file
357              /usr/local/share/arp-scan/mac-vendor.txt is used.
358
359       --srcaddr=<m> or -S <m>
360              Set the source Ethernet MAC  address  to  <m>.   This  sets  the
361              48-bit  hardware address in the Ethernet frame header for outgo‐
362              ing ARP packets. It does not change the hardware address in  the
363              ARP  packet,  see  --arpsha  for  details  on how to change that
364              address.  The default is the Ethernet address  of  the  outgoing
365              interface.
366
367       --destaddr=<m> or -T <m>
368              Send  the  packets  to  Ethernet  MAC  address <m> This sets the
369              48-bit destination address in the Ethernet  frame  header.   The
370              default  is the broadcast address ff:ff:ff:ff:ff:ff.  Most oper‐
371              ating systems will also respond if the ARP request  is  sent  to
372              their  MAC address, or to a multicast address that they are lis‐
373              tening on.
374
375       --arpsha=<m> or -u <m>
376              Use <m> as the ARP source Ethernet address This sets the  48-bit
377              ar$sha  field  in the ARP packet It does not change the hardware
378              address in the frame header, see --srcaddr for details on how to
379              change  that address. The default is the Ethernet address of the
380              outgoing interface.
381
382       --arptha=<m> or -w <m>
383              Use <m> as the ARP target Ethernet address This sets the  48-bit
384              ar$tha field in the ARP packet The default is zero, because this
385              field is not used for ARP request packets.
386
387       --prototype=<i> or -y <i>
388              Set the Ethernet protocol type  to  <i>,  default=0x0806.   This
389              sets  the  16-bit  protocol  type  field  in  the Ethernet frame
390              header.  Setting this to a non-default value will result in  the
391              packet  being ignored by the target, or sent to the wrong proto‐
392              col stack.
393
394       --arphrd=<i> or -H <i>
395              Use <i> for the ARP hardware type,  default=1.   This  sets  the
396              16-bit  ar$hrd  field  in the ARP packet.  The normal value is 1
397              (ARPHRD_ETHER). Most, but not all, operating systems  will  also
398              respond  to  6  (ARPHRD_IEEE802).  A  few systems respond to any
399              value.
400
401       --arppro=<i> or -p <i>
402              Use <i> for the ARP protocol type,  default=0x0800.   This  sets
403              the  16-bit ar$pro field in the ARP packet.  Most operating sys‐
404              tems only respond to 0x0800 (IPv4)  but  some  will  respond  to
405              other values as well.
406
407       --arphln=<i> or -a <i>
408              Set  the  hardware  address length to <i>, default=6.  This sets
409              the 8-bit ar$hln field in the ARP packet.  It sets  the  claimed
410              length  of the hardware address in the ARP packet. Setting it to
411              any value other than the default will make the  packet  non  RFC
412              compliant.   Some  operating  systems  may  still  respond to it
413              though.  Note that the actual lengths of the ar$sha  and  ar$tha
414              fields in the ARP packet are not changed by this option; it only
415              changes the ar$hln field.
416
417       --arppln=<i> or -P <i>
418              Set the protocol address length to <i>,  default=4.   This  sets
419              the  8-bit  ar$pln field in the ARP packet.  It sets the claimed
420              length of the protocol address in the ARP packet. Setting it  to
421              any  value  other  than the default will make the packet non RFC
422              compliant.  Some operating  systems  may  still  respond  to  it
423              though.   Note  that the actual lengths of the ar$spa and ar$tpa
424              fields in the ARP packet are not changed by this option; it only
425              changes the ar$pln field.
426
427       --arpop=<i> or -o <i>
428              Use  <i> for the ARP operation, default=1.  This sets the 16-bit
429              ar$op field in the ARP packet.  Most operating systems will only
430              respond  to  the  value 1 (ARPOP_REQUEST). However, some systems
431              will respond to other values as well.
432
433       --arpspa=<a> or -s <a>
434              Use <a> as the source IP address.  The address should be  speci‐
435              fied  in dotted quad format; or the literal string "dest", which
436              sets the source address to  be  the  same  as  the  target  host
437              address.   This  sets the 32-bit ar$spa field in the ARP packet.
438              Some operating systems check this, and will only respond if  the
439              source address is within the network of the receiving interface.
440              Others don't care, and will respond to any source  address.   By
441              default, the outgoing interface address is used.
442
443              WARNING:  Setting  ar$spa to the destination IP address can dis‐
444              rupt some operating systems, as  they  assume  there  is  an  IP
445              address  clash  if  they  receive  an  ARP request for their own
446              address.
447
448       --padding=<h> or -A <h>
449              Specify padding after packet data.  Set the padding data to  hex
450              value  <h>.  This data is appended to the end of the ARP packet,
451              after the data.  Most, if not all, operating systems will ignore
452              any  padding.  The  default is no padding, although the Ethernet
453              driver on the sending system may pad the packet to  the  minimum
454              Ethernet frame length.
455
456       --llc or -L
457              Use RFC 1042 LLC framing with SNAP.  This option causes the out‐
458              going ARP packets to use IEEE 802.2 framing with a  SNAP  header
459              as  described  in  RFC  1042.  The default is to use Ethernet-II
460              framing.  arp-scan will decode and display received ARP  packets
461              in either Ethernet-II or IEEE 802.2 formats irrespective of this
462              option.
463
464       --vlan=<i> or -Q <i>
465              Use 802.1Q tagging with VLAN id <i>.   This  option  causes  the
466              outgoing  ARP  packets to use 802.1Q VLAN tagging with a VLAN ID
467              of <i>, which should be in the range 0 to 4095 inclusive.   arp-
468              scan  will  always  decode  and  display received ARP packets in
469              802.1Q format irrespective of this option.
470
471       --pcapsavefile=<s> or -W <s>
472              Write received packets to pcap savefile <s>.  This option causes
473              received ARP responses to be written to the specified pcap save‐
474              file as well as being decoded and displayed. This  savefile  can
475              be  analysed with programs that understand the pcap file format,
476              such as "tcpdump" and "wireshark".
477
478       --rtt or -D
479              Display the packet round-trip time.
480

FILES

482       /usr/local/share/arp-scan/ieee-oui.txt
483              List of IEEE OUI (Organisationally Unique Identifier) to  vendor
484              mappings.
485
486       /usr/local/share/arp-scan/ieee-iab.txt
487              List of IEEE IAB (Individual Address Block) to vendor mappings.
488
489       /usr/local/share/arp-scan/mac-vendor.txt
490              List of other Ethernet MAC to vendor mappings.
491

EXAMPLES

493       The  example  below  shows  arp-scan  being  used  to  scan the network
494       192.168.0.0/24 using the network interface eth0.
495
496       $ arp-scan --interface=eth0 192.168.0.0/24
497       Interface: eth0, datalink type: EN10MB (Ethernet)
498       Starting arp-scan 1.4 with 256 hosts (http://www.nta-monitor.com/tools-resources/security-tools/arp-scan/)
499       192.168.0.1     00:c0:9f:09:b8:db       QUANTA COMPUTER, INC.
500       192.168.0.3     00:02:b3:bb:66:98       Intel Corporation
501       192.168.0.5     00:02:a5:90:c3:e6       Compaq Computer Corporation
502       192.168.0.6     00:c0:9f:0b:91:d1       QUANTA COMPUTER, INC.
503       192.168.0.12    00:02:b3:46:0d:4c       Intel Corporation
504       192.168.0.13    00:02:a5:de:c2:17       Compaq Computer Corporation
505       192.168.0.87    00:0b:db:b2:fa:60       Dell ESG PCBA Test
506       192.168.0.90    00:02:b3:06:d7:9b       Intel Corporation
507       192.168.0.105   00:13:72:09:ad:76       Dell Inc.
508       192.168.0.153   00:10:db:26:4d:52       Juniper Networks, Inc.
509       192.168.0.191   00:01:e6:57:8b:68       Hewlett-Packard Company
510       192.168.0.251   00:04:27:6a:5d:a1       Cisco Systems, Inc.
511       192.168.0.196   00:30:c1:5e:58:7d       HEWLETT-PACKARD
512
513       13 packets received by filter, 0 packets dropped by kernel
514       Ending arp-scan: 256 hosts scanned in 3.386 seconds (75.61 hosts/sec).  13 responded
515
516       This next example shows arp-scan being used to scan the  local  network
517       after configuring the network interface with DHCP using pump.
518
519       # pump
520       # ifconfig eth0
521       eth0      Link encap:Ethernet  HWaddr 00:D0:B7:0B:DD:C7
522                 inet addr:10.0.84.178  Bcast:10.0.84.183  Mask:255.255.255.248
523                 UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
524                 RX packets:46335 errors:0 dropped:0 overruns:0 frame:0
525                 TX packets:1542776 errors:0 dropped:0 overruns:0 carrier:0
526                 collisions:1644 txqueuelen:1000
527                 RX bytes:6184146 (5.8 MiB)  TX bytes:348887835 (332.7 MiB)
528       # arp-scan --localnet
529       Interface: eth0, datalink type: EN10MB (Ethernet)
530       Starting arp-scan 1.4 with 8 hosts (http://www.nta-monitor.com/tools-resources/security-tools/arp-scan/)
531       10.0.84.179     00:02:b3:63:c7:57       Intel Corporation
532       10.0.84.177     00:d0:41:08:be:e8       AMIGO TECHNOLOGY CO., LTD.
533       10.0.84.180     00:02:b3:bd:82:9b       Intel Corporation
534       10.0.84.181     00:02:b3:1f:73:da       Intel Corporation
535
536       4 packets received by filter, 0 packets dropped by kernel
537       Ending arp-scan 1.4: 8 hosts scanned in 0.820 seconds (9.76 hosts/sec).  4 responded
538

AUTHOR

540       Roy Hills <Roy.Hills@nta-monitor.com>
541

SEE ALSO

543       get-oui(1)
544
545       get-iab(1)
546
547       arp-fingerprint(1)
548
549       RFC 826 - An Ethernet Address Resolution Protocol
550
551       http://www.nta-monitor.com/wiki/ The arp-scan wiki page.
552
553       https://github.com/royhills/arp-scan The arp-scan homepage.
554
555
556
557                                August 13, 2016                    ARP-SCAN(1)
Impressum