Scan the local network with arp-scan on ubuntu

Arp-scan

Arp-scan is a commandline utility for linux that can be used to scan the network of a certain interface for alive hosts. It shows the ip address and mac addresses of all the hosts/nodes found.

Project website
http://www.nta-monitor.com/tools-resources/security-tools/arp-scan

Install on ubuntu

$ sudo apt-get install arp-scan

The documentation can be found at
http://www.nta-monitor.com/wiki/index.php/Arp-scan_Documentation

Usage

Quick example

$ sudo arp-scan --interface=eth0 --localnet
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.8.1 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.1.1     00:21:2c:82:08:87       SemIndia System Private Limited
192.168.1.2     6c:f0:49:69:c1:25       GIGA-BYTE TECHNOLOGY CO.,LTD.

2 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.8.1: 256 hosts scanned in 1.435 seconds (178.40 hosts/sec). 2 responded

So in the above example arp-scan was used to scan the network of the device eth0, and it discovered 2 alive nodes apart from localhost machine. The option localnet makes arp-scan scan the local network.

In place of the localnet option arp-scan can also take a range of ip addresses to scan. For example :

$ sudo arp-scan --interface=eth0 192.168.1.1/24
Interface: eth0, datalink type: EN10MB (Ethernet)
WARNING: host part of 192.168.1.1/24 is non-zero
Starting arp-scan 1.8.1 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.1.1     00:21:2c:82:08:87       SemIndia System Private Limited
192.168.1.2     6c:f0:49:69:c1:25       GIGA-BYTE TECHNOLOGY CO.,LTD.

2 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.8.1: 256 hosts scanned in 1.421 seconds (180.15 hosts/sec). 2 responded

The ip range has been given in CIDR notation. The number after the forward slash indicates how many bits stay constant from the left. So 24 means that the first 24 left bits stays constant and rest can change, which implies that the last octet can change, so the range is effectively 192.168.1.1 to 192.168.1.256







Last Updated On : 16th August 2012

Subscribe to get updates delivered to your inbox

3 Comments + Add Comment

  • when i am run ‘sudo apt-get install arp-scan’ command i am getting
    Reading package lists… Done
    Building dependency tree
    Reading state information… Done
    E: Unable to locate package arp-scan
    this message what is the solution for this pblm

  • Thank you.

  • One question that I have, and correct if I am wrong or missing anything. Even with every option used, I still can’t figure how to make arp-scan list the information from the interface it is running from.

    So basically in my example, the workstation on the lan that I am running arp-scan from has IP 192..168.0.10, yet that is not listed in the results. But running arp-scan from another workstation, I see that listed, and that new workstation’s information is not. Probably by design, but I was wondering if there was any way around it.
    I have read the man pages, the user wiki, this can nowhere be found.
    Thank you.

Leave a comment