1ARP-FINGERPRINT(1) General Commands Manual ARP-FINGERPRINT(1)
2
6 arp-fingerprint - Fingerprint a system using ARP
7
9 arp-fingerprint [options] target
10 The target should be specified as a single IP address or hostname. You
12 cannot specify multiple targets, IP networks or ranges.
13 If you use an IP address for the target, you can use the -o option to
15 pass the --numeric option to arp-scan, which will prevent it from at‐
16 tempting DNS lookups. This can speed up the fingerprinting process,
17 especially on systems with a slow or faulty DNS configuration.
18
20 arp-fingerprint fingerprints the specified target host using the ARP
21 protocol.
22 It sends various different types of ARP request to the target, and
24 records which types it responds to. From this, it constructs a finger‐
25 print string consisting of "1" where the target responded and "0" where
26 it did not. An example of a fingerprint string is 01000100000. This
27 fingerprint string is then used to lookup the likely target operating
28 system.
29 Many of the fingerprint strings are shared by several operating sys‐
31 tems, so there is not always a one-to-one mapping between fingerprint
32 strings and operating systems. Also the fact that a system's finger‐
33 print matches a certain operating system (or list of operating systems)
34 does not necessarily mean that the system being fingerprinted is that
35 operating system, although it is quite likely. This is because the list
36 of operating systems is not exhaustive; it is just what I have discov‐
37 ered to date, and there are bound to be operating systems that are not
38 listed.
39 The ARP fingerprint of a system is generally a function of that sys‐
41 tem's kernel (although it is possible for the ARP function to be imple‐
42 mented in user space, it almost never is).
43 Sometimes, an operating system can give different fingerprints depend‐
45 ing on the configuration. An example is Linux, which will respond to a
46 non-local source IP address if that IP is routed through the interface
47 being tested. This is both good and bad: on one hand it makes the fin‐
48 gerprinting task more complex; but on the other, it can allow some as‐
49 pects of the system configuration to be determined.
50 Sometimes the fact that two different operating systems share a common
52 ARP fingerprint string points to a re-use of networking code. One exam‐
53 ple of this is Windows NT and FreeBSD.
54 arp-fingerprint uses arp-scan to send the ARP requests and receive the
56 replies.
57 There are other methods that can be used to fingerprint a system using
59 arp-scan which can be used in addition to arp-fingerprint. These addi‐
60 tional methods are not included in arp-fingerprint either because they
61 are likely to cause disruption to the target system, or because they
62 require knowledge of the target's configuration that may not always be
63 available.
64 Most of the ARP requests that arp-fingerprint sends are non-standard,
66 so it could disrupt systems that don't have a robust TCP/IP stack.
67
69 -h Display a brief usage message and exit.
70 -v Display verbose progress messages.
72 -o <option-string>
74 Pass specified options to arp-scan. You need to enclose the op‐
75 tions string in quotes if it contains spaces. e.g. -o "-I
76 eth1". The commonly used options are --interface (-I) and --nu‐
77 meric (-N).
78 -l Fingerprint all hosts on the local network. You do not need to
80 specify any target hosts if this option is given.
81
83 $ arp-fingerprint 192.168.0.1
84 192.168.0.1 01000100000 Linux 2.2, 2.4, 2.6
85 $ arp-fingerprint -o "-N -I eth1" 192.168.0.202
87 192.168.0.202 11110100000 FreeBSD 5.3, Win98, WinME, NT4, 2000, XP, 2003
88
90 arp-fingerprint is implemented in Perl, so you need to have the Perl
91 interpreter installed on your system to use it.
92
94 arp-scan(1)
95 http://www.royhills.co.uk/wiki/ The arp-scan wiki page.
97 October 27, 2022 ARP-FINGERPRINT(1)