1ARP-FINGERPRINT(1)          General Commands Manual         ARP-FINGERPRINT(1)
2
3
4

NAME

6       arp-fingerprint - Fingerprint a system using ARP
7

SYNOPSIS

9       arp-fingerprint [options] target
10
11       The target should be specified as a single IP address or hostname.  You
12       cannot specify multiple targets, IP networks or ranges.
13
14       If you use an IP address for the target, you can use the -o  option  to
15       pass  the  --numeric  option  to  arp-scan,  which will prevent it from
16       attempting DNS lookups.  This can speed up the fingerprinting  process,
17       especially on systems with a slow or faulty DNS configuration.
18

DESCRIPTION

20       arp-fingerprint  fingerprints  the  specified target host using the ARP
21       protocol.
22
23       It sends various different types of ARP  request  to  the  target,  and
24       records  which types it responds to. From this, it constructs a finger‐
25       print string consisting of "1" where the target responded and "0" where
26       it  did  not.  An example of a fingerprint string is 01000100000.  This
27       fingerprint string is then used to lookup the likely  target  operating
28       system.
29
30       Many  of  the  fingerprint strings are shared by several operating sys‐
31       tems, so there is not always a one-to-one mapping  between  fingerprint
32       strings  and  operating  systems. Also the fact that a system's finger‐
33       print matches a certain operating system (or list of operating systems)
34       does  not  necessarily mean that the system being fingerprinted is that
35       operating system, although it is quite likely. This is because the list
36       of  operating systems is not exhaustive; it is just what I have discov‐
37       ered to date, and there are bound to be operating systems that are  not
38       listed.
39
40       The  ARP  fingerprint  of a system is generally a function of that sys‐
41       tem's kernel (although it is possible for the ARP function to be imple‐
42       mented in user space, it almost never is).
43
44       Sometimes,  an operating system can give different fingerprints depend‐
45       ing on the configuration.  An example is Linux, which will respond to a
46       non-local  source IP address if that IP is routed through the interface
47       being tested.  This is both good and bad: on one hand it makes the fin‐
48       gerprinting  task  more  complex;  but  on the other, it can allow some
49       aspects of the system configuration to be determined.
50
51       Sometimes the fact that two different operating systems share a  common
52       ARP fingerprint string points to a re-use of networking code. One exam‐
53       ple of this is Windows NT and FreeBSD.
54
55       arp-fingerprint uses arp-scan to send the ARP requests and receive  the
56       replies.
57
58       There  are other methods that can be used to fingerprint a system using
59       arp-scan which can be used in addition to arp-fingerprint.  These addi‐
60       tional  methods are not included in arp-fingerprint either because they
61       are likely to cause disruption to the target system,  or  because  they
62       require  knowledge of the target's configuration that may not always be
63       available.
64
65       arp-fingerprint is still being developed, and the results should not be
66       relied  on. As most of the ARP requests that it sends are non-standard,
67       it is possible that it may disrupt some systems, so caution is advised.
68
69       If you find a system that arp-fingerprint reports as UNKNOWN,  and  you
70       know what operating system it is running, could you please send details
71       of the operating system and fingerprint to arp-scan@nta-monitor.com  so
72       I  can  include it in future versions. Please include the exact version
73       of the operating system if  you  know  it,  as  fingerprints  sometimes
74       change between versions.
75

OPTIONS

77       -h     Display a brief usage message and exit.
78
79       -v     Display verbose progress messages.
80
81       -o <option-string>
82              Pass  specified  options  to  arp-scan.  You need to enclose the
83              options string in quotes if it contains  spaces.  e.g.   -o  "-I
84              eth1".   The  commonly  used  options  are  --interface (-I) and
85              --numeric (-N).
86
87       -l     Fingerprint all hosts on the local network. You do not  need  to
88              specify any target hosts if this option is given.
89

EXAMPLES

91       $ arp-fingerprint 192.168.0.1
92       192.168.0.1   01000100000     Linux 2.2, 2.4, 2.6
93
94       $ arp-fingerprint -o "-N -I eth1" 192.168.0.202
95       192.168.0.202 11110100000     FreeBSD 5.3, Win98, WinME, NT4, 2000, XP, 2003
96

NOTES

98       arp-fingerprint  is  implemented  in Perl, so you need to have the Perl
99       interpreter installed on your system to use it.
100

AUTHOR

102       Roy Hills <Roy.Hills@nta-monitor.com>
103

SEE ALSO

105       arp-scan(1)
106
107       http://www.nta-monitor.com/wiki/ The arp-scan wiki page.
108
109
110
111                                August 20, 2016             ARP-FINGERPRINT(1)
Impressum