Information Gatheringarpscanningfingerprintingnetworkdiscoverymacvendor

arp-scan

arp-scan is a command-line tool that uses the ARP protocol to discover and fingerprint IP hosts on the local network. It sends ARP requests and displays responses with MAC addresses and vendor information.

Description

arp-scan is designed for discovering devices on local networks by leveraging the Address Resolution Protocol (ARP). It scans specified IP ranges or local networks, identifying active hosts and their associated MAC addresses. The tool also fingerprints systems based on ARP responses and maps MAC addresses to vendor information using OUI databases.

Common use cases include network inventory, identifying unauthorized devices, and reconnaissance during penetration testing. It excels in local network environments where ARP operates at layer 2, making it faster and more reliable than higher-layer scanning tools for discovering local hosts.

The tool supports Linux and BSD systems under the GPL license and requires raw socket privileges, typically achieved through root access or POSIX capabilities. It provides extensive customization for packet crafting, timing, output formatting, and bandwidth control.

How It Works

arp-scan creates raw Ethernet frames containing ARP request packets and transmits them to target IP addresses using raw sockets. It requires CAP_NET_RAW privileges on Linux or root access. The tool supports custom ARP fields (ar$sha, ar$spa, ar$op etc.), Ethernet headers (--srcaddr, --destaddr), VLAN tagging, and LLC encapsulation.

Responses are captured via libpcap, decoded, and matched to sent requests. Duplicate responses are tracked, RTT is calculated if enabled, and MAC addresses are looked up in OUI/mac-vendor files for vendor identification. Output can be formatted with custom templates using field variables like ${ip}, ${mac}, ${vendor}.

Installation

bash

sudo apt install arp-scan

Flags

--localnet or -lGenerate addresses from interface configuration (network and broadcast included)

--interface=<s> or -I <s>Use network interface <s>

--srcaddr=<m> or -S <m>Set the source Ethernet MAC address

--file=<s> or -f <s>Read hostnames or addresses from the specified file

--quiet or -qDisplay minimal output for each responding host (IP and MAC only)

--format=<s> or -F <s>Specify the output format string using ${field} syntax

--verbose or -vDisplay verbose progress messages

--resolve or -dResolve responding addresses to hostnames

--random or -RRandomise the target host list

--timeout=<i> or -t <i>Set initial per host timeout to <i> ms, default=500

Examples

Scan the local network using the information from the primary network interface

arp-scan -l

Scan a subnet, specifying the interface to use and a custom source MAC address

arp-scan -I eth0 --srcaddr=DE:AD:BE:EF:CA:FE 192.168.86.0/24

Generate addresses from interface configuration without specifying interface

arp-scan --localnet

Scan a specific subnet using CIDR notation

arp-scan 192.168.1.0/24

Read target hostnames or addresses from a file

arp-scan --file=targets.txt

Scan subnet and resolve responding addresses to hostnames

arp-scan --resolve 192.168.86.0/24

Scan with custom tab-separated output format

arp-scan --format='${ip}\t${mac}\t${vendor}' 192.168.1.0/24

Updated 2026-04-16kali.org ↗