Skip to content

Discover all active devices in LAN with arp-scan

arp-scan is a very fast ARP packet scanner that shows every active IPv4 device on your subnet. Since ARP is non-routable, this type of scanner only works on the local LAN (local subnet or network segment). arp-scan shows all active devices even if they have firewalls. Devices cannot hide from ARP packets like they can hide from Ping.

Target hosts must be specified on the command line unless the –file option is given, in which case the targets are read from the specified file instead, or the –localnet option is used, in which case the targets are generated from the network interface IP address and netmask.

You will need to be root, or arp-scan must be SUID root, in order to run arp-scan, because the functions that it uses to read and write packets require root privilege.

The target hosts can be specified as IP addresses or hostnames. You can also specify the target as IPnetwork/bits (e.g. 192.168.1.0/24) to specify all hosts in the given network (network and broadcast addresses included), IPstart-IPend (e.g. 192.168.1.3-192.168.1.27) to specify all hosts in the inclusive range, or IPnetwork:NetMask (e.g. 192.168.1.0:255.255.255.0) to specify all hosts in the given network and mask.

arp-scan supports Ethernet and 802.11 wireless networks. It could also support token ring and FDDI, but they have not been tested. It does not support serial links such as PPP or SLIP, because ARP is not supported on them.

The ARP protocol is a layer-2 (datalink layer) protocol that is used to determine a host’s layer-2 address given its layer-3 (network layer) address. ARP was designed to work with any layer-2 and layer-3 address format, but the most common use is to map IP addresses to Ethernet hardware addresses, and this is what arp-scan supports. ARP only operates on the local network, and cannot be routed. Although the ARP protocol makes use of IP addresses, it is not an IP-based protocol and arp-scan can be used on an interface that is not configured for IP.

Quick test on my MacBook.

My network interface:

macbook:~# ifconfig en0
en0: flags=8863 mtu 1500
	ether 08:6d:41:dc:84:56 
	inet6 fe80::89b:44b:d149:66c3%en0 prefixlen 64 secured scopeid 0x4 
	inet 192.168.192.24 netmask 0xffffff00 broadcast 192.168.192.255
	nd6 options=201
	media: autoselect
	status: active

I will scan the entire network prefix /24 (192.168.192.24)

macbook:~# arp-scan 192.168.192.0/23
Interface: en0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9 with 512 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.192.1	54:fa:3e:17:94:8b	(Unknown)
192.168.192.2	54:fa:3e:17:94:8e	(Unknown)
192.168.192.9	78:ac:c0:c2:35:87	Hewlett-Packard Company
192.168.192.5	00:08:22:a8:09:03	InPro Comm
192.168.192.42	00:23:69:7e:4f:68	Cisco-Linksys, LLC
192.168.192.25	00:22:43:21:c0:57	AzureWave Technologies, Inc.
192.168.192.51	b0:c4:e7:2c:98:71	Samsung Electronics

1045 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9: 512 hosts scanned in 2.947 seconds (173.74 hosts/sec). 7 responded

Installation on Mac OS X. (MacPorts)

port install arp-scan

Installation on Debian.

apt-get install arp-scan

Reference: man arp-scan

Published inFreeBSDLinuxMacOS