Today I release
arpscan into the wild, as an Open Source project.
ARP (RFC 826) is the Address Resolution Protocol, used by machines, to find other machines, normally for the purpose of sending them packets (like TCP/IP packets or UDP datagrams).
Ethernet has no idea about routing, or even what an IPv4 address is.
All it knows about is the datalink and MAC Addresses. Ethernet
frames have two such addresses, the source MAC (known to the host, from the
egress interface) and the destination MAC. Since keeping static tables of
MAC addresses for all hosts on a LAN is less maintainable than
was before DNS, ARP was born.
For our purposes, ARP consists of only two operations: request and replies. A request is sent out into the segment to determine what MAC address owns a specific protocol address. A reply is sent from the owning host, answering that query.
arpscan sends a flurry of ARP requests out onto the local segment, probing
to see who (if anyone) owns each and every IP address in a range like
10.15.0.0/24. As ARP replies come in from the other hosts, MAC → IPv4
address associations are printed to standard output.
The beauty of this type of scan is pretty simple. ARP requests cannot be
blocked; it makes little sense to be on a network but refuse to tell
anyone where you really are. Without ARP, no packets would get to you.
On top of that, it is fast. Faster than a ping loop; faster than nmap.
arping and friends,
arpscan bypasses the system ARP cache
entirely. If you've ever scanned a large network (10.0.0.0/8 springs to
mind) with arping, you know why this is desirable.
Here's some examples, to whet the appetite:
# arpscan -d wlan0 -n 10.0.0.0/24 68:7f:74:b4:53:aa 10.0.0.1 00:30:67:69:12:f9 10.0.0.15 00:80:77:8d:d6:7a 10.0.0.92 3c:43:8e:09:03:4b 10.0.0.93
And here's my virtualized test environment:
# sudo arpscan -d virbr2 -n 10.10.10.0/24 -t 1200 52:54:00:18:40:9b 10.10.10.130 52:54:00:3e:53:5e 10.10.10.129 52:54:00:61:64:db 10.10.10.132 52:54:00:a4:53:c8 10.10.10.131 52:54:00:2d:f9:16 10.10.10.123 52:54:00:2f:a9:77 10.10.10.128 52:54:00:a6:69:3b 10.10.10.124 52:54:00:c5:21:0b 10.10.10.133 aa:89:dc:f1:87:45 10.10.10.126 52:54:00:7c:a8:ae 10.10.10.121
To grab your own copy, download the code from github:
WARNING: arpscan is still very beta software (less than a day old as of this writing). It may not work well on large networks. It may not work well (or at all) on your network. I welcome bug reports and patches, the latter moreso than the former.