arpscan — or — Scanning Networks via ARP Requests

Today I release arpscan into the wild, as an Open Source project.

ARP (RFC 826) is the Address Resolution Protocol, used by machines, to find other machines, normally for the purpose of sending them packets (like TCP/IP packets or UDP datagrams).

Ethernet has no idea about routing, or even what an IPv4 address is. All it knows about is the datalink and MAC Addresses. Ethernet frames have two such addresses, the source MAC (known to the host, from the egress interface) and the destination MAC. Since keeping static tables of MAC addresses for all hosts on a LAN is less maintainable than /etc/hosts was before DNS, ARP was born.

For our purposes, ARP consists of only two operations: request and replies. A request is sent out into the segment to determine what MAC address owns a specific protocol address. A reply is sent from the owning host, answering that query.

Enter arpscan.

arpscan sends a flurry of ARP requests out onto the local segment, probing to see who (if anyone) owns each and every IP address in a range like 10.15.0.0/24. As ARP replies come in from the other hosts, MAC → IPv4 address associations are printed to standard output.

The beauty of this type of scan is pretty simple. ARP requests cannot be blocked; it makes little sense to be on a network but refuse to tell anyone where you really are. Without ARP, no packets would get to you. On top of that, it is fast. Faster than a ping loop; faster than nmap. And unlike arping and friends, arpscan bypasses the system ARP cache entirely. If you've ever scanned a large network (10.0.0.0/8 springs to mind) with arping, you know why this is desirable.

Here's some examples, to whet the appetite:

# arpscan -d wlan0 -n 10.0.0.0/24
68:7f:74:b4:53:aa 10.0.0.1
00:30:67:69:12:f9 10.0.0.15
00:80:77:8d:d6:7a 10.0.0.92
3c:43:8e:09:03:4b 10.0.0.93

And here's my virtualized test environment:

# sudo arpscan -d virbr2 -n 10.10.10.0/24 -t 1200
52:54:00:18:40:9b 10.10.10.130
52:54:00:3e:53:5e 10.10.10.129
52:54:00:61:64:db 10.10.10.132
52:54:00:a4:53:c8 10.10.10.131
52:54:00:2d:f9:16 10.10.10.123
52:54:00:2f:a9:77 10.10.10.128
52:54:00:a6:69:3b 10.10.10.124
52:54:00:c5:21:0b 10.10.10.133
aa:89:dc:f1:87:45 10.10.10.126
52:54:00:7c:a8:ae 10.10.10.121

To grab your own copy, download the code from github:

http://github.com/jhunt/arpscan

WARNING: arpscan is still very beta software (less than a day old as of this writing). It may not work well on large networks. It may not work well (or at all) on your network. I welcome bug reports and patches, the latter moreso than the former.

Happy Hacking!

James (@iamjameshunt) works on the Internet, spends his weekends developing new and interesting bits of software and his nights trying to make sense of research papers.

Currently working on Rook.