1ARP-SCAN(1) General Commands Manual ARP-SCAN(1)
2
3
4
6 arp-scan - The ARP scanner
7
9 arp-scan [options] [hosts...]
10
11 Target hosts must be specified on the command line unless the --file
12 option is given, in which case the targets are read from the specified
13 file instead, or the --localnet option is used, in which case the tar‐
14 gets are generated from the network interface IP address and netmask.
15
16 You will need to be root, or arp-scan must be SUID root, in order to
17 run arp-scan, because the functions that it uses to read and write
18 packets require root privilege.
19
20 The target hosts can be specified as IP addresses or hostnames. You
21 can also specify the target as IPnetwork/bits (e.g. 192.168.1.0/24) to
22 specify all hosts in the given network (network and broadcast addresses
23 included), IPstart-IPend (e.g. 192.168.1.3-192.168.1.27) to specify all
24 hosts in the inclusive range, or IPnetwork:NetMask (e.g.
25 192.168.1.0:255.255.255.0) to specify all hosts in the given network
26 and mask.
27
29 arp-scan sends ARP packets to hosts on the local network and displays
30 any responses that are received. The network interface to use can be
31 specified with the --interface option. If this option is not present,
32 arp-scan will search the system interface list for the lowest numbered,
33 configured up interface (excluding loopback). By default, the ARP
34 packets are sent to the Ethernet broadcast address, ff:ff:ff:ff:ff:ff,
35 but that can be changed with the --destaddr option.
36
37 The target hosts to scan may be specified in one of three ways: by
38 specifying the targets on the command line; by specifying a file con‐
39 taining the targets with the --file option; or by specifying the
40 --localnet option which causes all possible hosts on the network
41 attached to the interface (as defined by the interface address and
42 mask) to be scanned. For hosts specified on the command line, or with
43 the --file For hosts specified on the command line, or with the --file
44 option, you can use either IP addresses or hostnames. You can also use
45 network specifications IPnetwork/bits, IPstart-IPend, or IPnetwork:Net‐
46 Mask.
47
48 The list of target hosts is stored in memory. Each host in this list
49 uses 28 bytes of memory, so scanning a Class-B network (65,536 hosts)
50 requires about 1.75MB of memory for the list, and scanning a Class-A
51 (16,777,216 hosts) requires about 448MB.
52
53 arp-scan supports Ethernet and 802.11 wireless networks. It could also
54 support token ring and FDDI, but they have not been tested. It does not
55 support serial links such as PPP or SLIP, because ARP is not supported
56 on them.
57
58 The ARP protocol is a layer-2 (datalink layer) protocol that is used to
59 determine a host's layer-2 address given its layer-3 (network layer)
60 address. ARP was designed to work with any layer-2 and layer-3 address
61 format, but the most common use is to map IP addresses to Ethernet
62 hardware addresses, and this is what arp-scan supports. ARP only oper‐
63 ates on the local network, and cannot be routed. Although the ARP pro‐
64 tocol makes use of IP addresses, it is not an IP-based protocol and
65 arp-scan can be used on an interface that is not configured for IP.
66
67 ARP is only used by IPv4 hosts. IPv6 uses NDP (neighbour discovery pro‐
68 tocol) instead, which is a different protocol and is not supported by
69 arp-scan.
70
71 One ARP packet is sent for each for each target host, with the target
72 protocol address (the ar$tpa field) set to the IP address of this host.
73 If a host does not respond, then the ARP packet will be re-sent once
74 more. The maximum number of retries can be changed with the --retry
75 option. Reducing the number of retries will reduce the scanning time
76 at the possible risk of missing some results due to packet loss.
77
78 You can specify the bandwidth that arp-scan will use for the outgoing
79 ARP packets with the --bandwidth option. By default, it uses a band‐
80 width of 256000 bits per second. Increasing the bandwidth will reduce
81 the scanning time, but setting the bandwidth too high may result in an
82 ARP storm which can disrupt network operation. Also, setting the band‐
83 width too high can send packets faster than the network interface can
84 transmit them, which will eventually fill the kernel's transmit buffer
85 resulting in the error message: No buffer space available. Another way
86 to specify the outgoing ARP packet rate is with the --interval option,
87 which is an alternative way to modify the same underlying parameter.
88
89 The time taken to perform a single-pass scan (i.e. with --retry=1) is
90 given by:
91
92 time = n*i + t + o
93
94 Where n is the number of hosts in the list, i is the time interval
95 between packets (specified with --interval, or calculated from --band‐
96 width), t is the timeout value (specified with --timeout) and o is the
97 overhead time taken to load the targets into the list and read the
98 MAC/Vendor mapping files. For small lists of hosts, the timeout value
99 will dominate, but for large lists the packet interval is the most
100 important value.
101
102 With 65,536 hosts, the default bandwidth of 256,000 bits/second (which
103 results in a packet interval of 2ms), the default timeout of 100ms, and
104 a single pass ( --retry=1), and assuming an overhead of 1 second, the
105 scan would take 65536*0.002 + 0.1 + 1 = 132.172 seconds, or about 2
106 minutes 12 seconds.
107
108 Any part of the outgoing ARP packet may be modified through the use of
109 the various --arpXXX options. The use of some of these options may
110 make the outgoing ARP packet non RFC compliant. Different operating
111 systems handle the various non standard ARP packets in different ways,
112 and this may be used to fingerprint these systems. See arp-finger‐
113 print(1) for information about a script which uses these options to
114 fingerprint the target operating system.
115
116 The table below summarises the options that change the outgoing ARP
117 packet. In this table, the Field column gives the ARP packet field name
118 from RFC 826, Bits specifies the number of bits in the field, Option
119 shows the arp-scan option to modify this field, and Notes gives the
120 default value and any other notes.
121
122 ┌───────────────────────────────────────────────────────────────┐
123 │ Outgoing ARP Packet Options │
124 ├───────┬──────┬──────────┬─────────────────────────────────────┤
125 │Field │ Bits │ Option │ Notes │
126 ├───────┼──────┼──────────┼─────────────────────────────────────┤
127 │ar$hrd │ 16 │ --arphrd │ Default is 1 (ARPHRD_ETHER) │
128 │ar$pro │ 16 │ --arppro │ Default is 0x0800 │
129 │ar$hln │ 8 │ --arphln │ Default is 6 (ETH_ALEN) │
130 │ar$pln │ 8 │ --arppln │ Default is 4 (IPv4) │
131 │ar$op │ 16 │ --arpop │ Default is 1 (ARPOP_REQUEST) │
132 │ar$sha │ 48 │ --arpsha │ Default is interface h/w address │
133 │ar$spa │ 32 │ --arpspa │ Default is interface IP address │
134 │ar$tha │ 48 │ --arptha │ Default is zero (00:00:00:00:00:00) │
135 │ar$tpa │ 32 │ None │ Set to the target host IP address │
136 └───────┴──────┴──────────┴─────────────────────────────────────┘
137 The most commonly used outgoing ARP packet option is --arpspa, which
138 sets the source IP address in the ARP packet. This option allows the
139 outgoing ARP packet to use a different source IP address from the out‐
140 going interface address. With this option it is possible to use arp-
141 scan on an interface with no IP address configured, which can be useful
142 if you want to ensure that the testing host does not interact with the
143 network being tested.
144
145 It is also possible to change the values in the Ethernet frame header
146 that proceeds the ARP packet in the outgoing packets. The table below
147 summarises the options that change values in the Ethernet frame header.
148
149 ┌───────────────────────────────────────────────────────────────────┐
150 │ Outgoing Ethernet Frame Options │
151 ├───────────────┬──────┬─────────────┬──────────────────────────────┤
152 │Field │ Bits │ Option │ Notes │
153 ├───────────────┼──────┼─────────────┼──────────────────────────────┤
154 │Dest Address │ 48 │ --destaddr │ Default is ff:ff:ff:ff:ff:ff │
155 │Source Address │ 48 │ --srcaddr │ Default is interface address │
156 │Protocol Type │ 16 │ --prototype │ Default is 0x0806 │
157 └───────────────┴──────┴─────────────┴──────────────────────────────┘
158 The most commonly used outgoing Ethernet frame option is --destaddr,
159 which sets the destination Ethernet address for the ARP packet. --pro‐
160 totype is not often used, because it will cause the packet to be inter‐
161 preted as a different Ethernet protocol.
162
163 Any ARP responses that are received are displayed in the following for‐
164 mat:
165
166 <IP Address> <Hardware Address> <Vendor Details>
167
168 Where IP Address is the IP address of the responding target, Hardware
169 Address is its Ethernet hardware address (also known as the MAC
170 address) and Vendor Details are the vendor details, decoded from the
171 hardware address. The output fields are separated by a single tab
172 character.
173
174 The responses are displayed in the order that they are received, which
175 is not always the same order as the requests were sent because some
176 hosts may respond faster than others.
177
178 The vendor decoding uses the files ieee-oui.txt, ieee-iab.txt and mac-
179 vendor.txt which are supplied with arp-scan. The ieee-oui.txt and
180 ieee-iab.txt files are generated from the OUI and IAB data on the IEEE
181 website at http://standards.ieee.org/regauth/oui/ieee-oui.txt and
182 http://standards.ieee.org/regauth/oui/iab.txt. The Perl scripts get-
183 oui and get-iab, which are included in the arp-scan package, can be
184 used to update these files with the latest data from the IEEE website.
185 The mac-vendor.txt file contains other MAC to Vendor mappings that are
186 not covered by the IEEE OUI and IAB files.
187
188 Almost all hosts that support IP will respond to arp-scan if they
189 receive an ARP packet with the target protocol address (ar$tpa) set to
190 their IP address. This includes firewalls and other hosts with IP fil‐
191 tering that drop all IP traffic from the testing system. For this rea‐
192 son, arp-scan is a useful tool to quickly determine all the active IP
193 hosts on a given Ethernet network segment.
194
196 --help or -h
197 Display this usage message and exit.
198
199 --file=<fn> or -f <fn>
200 Read hostnames or addresses from the specified file instead of
201 from the command line. One name or IP address per line. Use "-"
202 for standard input.
203
204 --localnet or -l
205 Generate addresses from network interface configuration Use the
206 network interface IP address and network mask to generate the
207 list of target host addresses. The list will include the net‐
208 work and broadcast addresses, so an interface address of
209 10.0.0.1 with netmask 255.255.255.0 would generate 256 target
210 hosts from 10.0.0.0 to 10.0.0.255 inclusive. If you use this
211 option, you cannot specify the --file option or specify any tar‐
212 get hosts on the command line. The interface specifications are
213 taken from the interface that arp-scan will use, which can be
214 changed with the --interface option.
215
216 --retry=<n> or -r <n>
217 Set total number of attempts per host to <n>, default=3.
218
219 --timeout=<n> or -t <n>
220 Set initial per host timeout to <n> ms, default=500. This time‐
221 out is for the first packet sent to each host. subsequent time‐
222 outs are multiplied by the backoff factor which is set with
223 --backoff.
224
225 --interval=<n> or -i <n>
226 Set minimum packet interval to <n> ms. This controls the outgo‐
227 ing bandwidth usage by limiting the rate at which packets can be
228 sent. The packet interval will be no smaller than this number.
229 If you want to use up to a given bandwidth, then it is easier to
230 use the --bandwidth option instead. The interval specified is
231 in milliseconds by default, or in microseconds if "u" is
232 appended to the value.
233
234 --bandwidth=<n> or -B <n>
235 Set desired outbound bandwidth to <n>, default=256000. The
236 value is in bits per second by default. If you append "K" to
237 the value, then the units are kilobits per sec; and if you
238 append "M" to the value, the units are megabits per second. The
239 "K" and "M" suffixes represent the decimal, not binary, multi‐
240 ples. So 64K is 64000, not 65536. You cannot specify both
241 --interval and --bandwidth because they are just different ways
242 to change the same parameter.
243
244 --backoff=<b> or -b <b>
245 Set timeout backoff factor to <b>, default=1.50. The per-host
246 timeout is multiplied by this factor after each timeout. So, if
247 the number of retrys is 3, the initial per-host timeout is 500ms
248 and the backoff factor is 1.5, then the first timeout will be
249 500ms, the second 750ms and the third 1125ms.
250
251 --verbose or -v
252 Display verbose progress messages. Use more than once for
253 greater effect: 1 - Show when hosts are removed from the list
254 and other useful information; 2 - Show each packet sent and
255 received; 3 - Display the host list before scanning starts.
256
257 --version or -V
258 Display program version and exit.
259
260 --random or -R
261 Randomise the host list. This option randomises the order of
262 the hosts in the host list, so the ARP packets are sent to the
263 hosts in a random order. It uses the Knuth shuffle algorithm.
264
265 --numeric or -N
266 IP addresses only, no hostnames. With this option, all hosts
267 must be specified as IP addresses. Hostnames are not permitted.
268
269 --snap=<s> or -n <s>
270 Set the pcap snap length to <s>. Default=64. This specifies the
271 frame capture length. This length includes the data-link
272 header. The default is normally sufficient.
273
274 --interface=<i> or -I <i>
275 Use network interface <i>. If this option is not specified,
276 arp-scan will search the system interface list for the lowest
277 numbered, configured up interface (excluding loopback). The
278 interface specified must support ARP.
279
280 --quiet or -q
281 Only display minimal output. If this option is specified, then
282 only the minimum information is displayed. With this option,
283 the OUI file is not used.
284
285 --ignoredups or -g
286 Don't display duplicate packets. By default, duplicate packets
287 are displayed and are flagged with "(DUP: n)".
288
289 --ouifile=<o> or -O <o>
290 Use OUI file <o>, default=/usr/local/share/arp-scan/ieee-oui.txt
291 This file provides the Ethernet OUI to vendor string mapping.
292
293 --iabfile=<i> or -F <i>
294 Use IAB file <i>, default=/usr/local/share/arp-scan/ieee-iab.txt
295 This file provides the IEEE Ethernet IAB to vendor string map‐
296 ping.
297
298 --macfile=<m> or -m <m>
299 Use MAC/Vendor file <m>, default=/usr/local/share/arp-scan/mac-
300 vendor.txt This file provides the custom Ethernet MAC to vendor
301 string mapping.
302
303 --srcaddr=<m> or -S <m>
304 Set the source Ethernet MAC address to <m>. This sets the
305 48-bit hardware address in the Ethernet frame header for outgo‐
306 ing ARP packets. It does not change the hardware address in the
307 ARP packet, see --arpsha for details on how to change that
308 address. The default is the Ethernet address of the outgoing
309 interface.
310
311 --destaddr=<m> or -T <m>
312 Send the packets to Ethernet MAC address <m> This sets the
313 48-bit destination address in the Ethernet frame header. The
314 default is the broadcast address ff:ff:ff:ff:ff:ff. Most oper‐
315 ating systems will also respond if the ARP request is sent to
316 their MAC address, or to a multicast address that they are lis‐
317 tening on. The address can be specified either in the format
318 01:23:45:67:89:ab, or as 01-23-45-67-89-ab. The alphabetic hex
319 characters may be upper or lower case.
320
321 --arpsha=<m> or -u <m>
322 Use <m> as the ARP source Ethernet address This sets the 48-bit
323 ar$sha field in the ARP packet It does not change the hardware
324 address in the frame header, see --srcaddr for details on how to
325 change that address. The default is the Ethernet address of the
326 outgoing interface.
327
328 --arptha=<m> or -w <m>
329 Use <m> as the ARP target Ethernet address This sets the 48-bit
330 ar$tha field in the ARP packet The default is zero, because this
331 field is not used for ARP request packets.
332
333 --prototype=<p> or -y <p>
334 Set the Ethernet protocol type to <p>, default=0x0806. This
335 sets the 16-bit protocol type field in the Ethernet frame
336 header. Setting this to a non-default value will result in the
337 packet being ignored by the target, or send to the wrong proto‐
338 col stack. This option is probably not useful, and is only
339 present for completeness.
340
341 --arphrd=<o> or -H <o>
342 Use <o> for the ARP hardware type, default=1. This sets the
343 16-bit ar$hrd field in the ARP packet. The normal value is 1
344 (ARPHRD_ETHER). Most, but not all, operating systems will also
345 respond to 6 (ARPHRD_IEEE802). A few systems respond to any
346 value.
347
348 --arppro=<o> or -p <o>
349 Use <o> for the ARP protocol type, default=0x0800. This sets
350 the 16-bit ar$pro field in the ARP packet. Most operating sys‐
351 tems only respond to 0x0800 (IPv4) but some will respond to
352 other values as well.
353
354 --arphln=<l> or -a <l>
355 Set the hardware address length to <l>, default=6. This sets
356 the 8-bit ar$hln field in the ARP packet. It sets the claimed
357 length of the hardware address in the ARP packet. Setting it to
358 any value other than the default will make the packet non RFC
359 compliant. Some operating systems may still respond to it
360 though. Note that the actual lengths of the ar$sha and ar$tha
361 fields in the ARP packet are not changed by this option; it only
362 changes the ar$hln field.
363
364 --arppln=<l> or -P <l>
365 Set the protocol address length to <l>, default=4. This sets
366 the 8-bit ar$pln field in the ARP packet. It sets the claimed
367 length of the protocol address in the ARP packet. Setting it to
368 any value other than the default will make the packet non RFC
369 compliant. Some operating systems may still respond to it
370 though. Note that the actual lengths of the ar$spa and ar$tpa
371 fields in the ARP packet are not changed by this option; it only
372 changes the ar$pln field.
373
374 --arpop=<o> or -o <o>
375 Use <o> for the ARP operation, default=1. This sets the 16-bit
376 ar$op field in the ARP packet. Most operating systems will only
377 respond to the value 1 (ARPOP_REQUEST). However, some systems
378 will respond to other values as well.
379
380 --arpspa=<s> or -s <s>
381 Use <s> as the source IP address. The address should be speci‐
382 fied in dotted quad format; or the string "dest", which sets the
383 source address to be the same as the target host address. This
384 sets the 32-bit ar$spa field in the ARP packet. Some operating
385 systems check this, and will only respond if the source address
386 is within the network of the receiving interface. Others don't
387 care, and will respond to any source address. By default, the
388 outgoing interface address is used.
389
390 --padding=<p> or -A <p>
391 Specify padding after packet data. Set the padding data to hex
392 value <p>. This data is appended to the end of the ARP packet,
393 after the data. Most, if not all, operating systems will ignore
394 any Padding. The default is no padding, although the Ethernet
395 driver on the sending system may pad the packet to the minimum
396 Ethernet frame length.
397
398 --llc or -L
399 Use RFC 1042 LLC framing with SNAP. This option causes the out‐
400 going ARP packets to use IEEE 802.2 framing with a SNAP header
401 as described in RFC 1042. The default is to use Ethernet-II
402 framing. arp-scan will decode and display received ARP packets
403 in either Ethernet-II or IEEE 802.2 formats irrespective of this
404 option.
405
406 --vlan=<v> or -Q <v>
407 Use 802.1Q tagging with VLAN id <v>. This option causes the
408 outgoing ARP packets to use 802.1Q VLAN tagging with a VLAN ID
409 of <v>, which should be in the range 0 to 4095 inclusive. arp-
410 scan will always decode and display received ARP packets in
411 802.1Q format irrespective of this option.
412
413 --pcapsavefile=<p> or -W <p>
414 Write received packets to pcap savefile <p>. This option causes
415 received ARP responses to be written to a pcap savefile with the
416 specified name. This savefile can be analyzed with programs
417 that understand the pcap file format, such as "tcpdump" and
418 "wireshark".
419
421 /usr/local/share/arp-scan/ieee-oui.txt
422 List of IEEE OUI (Organizationally Unique Identifier) to vendor
423 mappings.
424
425 /usr/local/share/arp-scan/ieee-iab.txt
426 List of IEEE IAB (Individual Address Block) to vendor mappings.
427
428 /usr/local/share/arp-scan/mac-vendor.txt
429 List of other Ethernet MAC to vendor mappings.
430
432 The example below shows arp-scan being used to scan the network
433 192.168.0.0/24 using the network interface eth0.
434
435 $ arp-scan --interface=eth0 192.168.0.0/24
436 Interface: eth0, datalink type: EN10MB (Ethernet)
437 Starting arp-scan 1.4 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
438 192.168.0.1 00:c0:9f:09:b8:db QUANTA COMPUTER, INC.
439 192.168.0.3 00:02:b3:bb:66:98 Intel Corporation
440 192.168.0.5 00:02:a5:90:c3:e6 Compaq Computer Corporation
441 192.168.0.6 00:c0:9f:0b:91:d1 QUANTA COMPUTER, INC.
442 192.168.0.12 00:02:b3:46:0d:4c Intel Corporation
443 192.168.0.13 00:02:a5:de:c2:17 Compaq Computer Corporation
444 192.168.0.87 00:0b:db:b2:fa:60 Dell ESG PCBA Test
445 192.168.0.90 00:02:b3:06:d7:9b Intel Corporation
446 192.168.0.105 00:13:72:09:ad:76 Dell Inc.
447 192.168.0.153 00:10:db:26:4d:52 Juniper Networks, Inc.
448 192.168.0.191 00:01:e6:57:8b:68 Hewlett-Packard Company
449 192.168.0.251 00:04:27:6a:5d:a1 Cisco Systems, Inc.
450 192.168.0.196 00:30:c1:5e:58:7d HEWLETT-PACKARD
451
452 13 packets received by filter, 0 packets dropped by kernel
453 Ending arp-scan: 256 hosts scanned in 3.386 seconds (75.61 hosts/sec). 13 responded
454
455 This next example shows arp-scan being used to scan the local network
456 after configuring the network interface with DHCP using pump.
457
458 # pump
459 # ifconfig eth0
460 eth0 Link encap:Ethernet HWaddr 00:D0:B7:0B:DD:C7
461 inet addr:10.0.84.178 Bcast:10.0.84.183 Mask:255.255.255.248
462 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
463 RX packets:46335 errors:0 dropped:0 overruns:0 frame:0
464 TX packets:1542776 errors:0 dropped:0 overruns:0 carrier:0
465 collisions:1644 txqueuelen:1000
466 RX bytes:6184146 (5.8 MiB) TX bytes:348887835 (332.7 MiB)
467 # arp-scan --localnet
468 Interface: eth0, datalink type: EN10MB (Ethernet)
469 Starting arp-scan 1.4 with 8 hosts (http://www.nta-monitor.com/tools/arp-scan/)
470 10.0.84.179 00:02:b3:63:c7:57 Intel Corporation
471 10.0.84.177 00:d0:41:08:be:e8 AMIGO TECHNOLOGY CO., LTD.
472 10.0.84.180 00:02:b3:bd:82:9b Intel Corporation
473 10.0.84.181 00:02:b3:1f:73:da Intel Corporation
474
475 4 packets received by filter, 0 packets dropped by kernel
476 Ending arp-scan 1.4: 8 hosts scanned in 0.820 seconds (9.76 hosts/sec). 4 responded
477
479 Roy Hills <Roy.Hills@nta-monitor.com>
480
482 get-oui(1)
483
484 get-iab(1)
485
486 arp-fingerprint(1)
487
488 RFC 826 - An Ethernet Address Resolution Protocol
489
490 http://www.nta-monitor.com/wiki/ The arp-scan wiki page.
491
492 http://www.nta-monitor.com/tools/arp-scan/ The arp-scan homepage.
493
494
495
496 July 11, 2008 ARP-SCAN(1)