Today I release
arpscan into the wild, as an Open Source project.
ARP (RFC 826) is the Address Resolution Protocol, used by machines, to find other machines, normally for the purpose of sending them packets (like TCP/IP packets or UDP datagrams).
Ethernet has no idea about routing, or even what an IPv4 address is. All it knows about is the datalink and MAC Addresses. Ethernet frames have two such addresses, the source MAC (known to the host, from the egress interface) and the destination MAC. Since keeping static tables of MAC addresses for all hosts on a LAN is less maintainable than
/etc/hosts was before DNS, ARP was born.
For our purposes, ARP consists of only two operations: request and replies. A request is sent out into the segment to determine what MAC address owns a specific protocol address. A reply is sent from the owning host, answering that query.
arpscan sends a flurry of ARP requests out onto the local segment, probing to see who (if anyone) owns each and every IP address in a range like 10.15.0.0/24. As ARP replies come in from the other hosts, MAC → IPv4 address associations are printed to standard output.
The beauty of this type of scan is pretty simple. ARP requests cannot be blocked; it makes little sense to be on a network but refuse to tell anyone where you really are. Without ARP, no packets would get to you. On top of that, it is fast. Faster than a ping loop; faster than nmap. And unlike
arping and friends,
arpscan bypasses the system ARP cache entirely. If you’ve ever scanned a large network (10.0.0.0/8 springs to mind) with arping, you know why this is desirable.
Here’s some examples, to whet the appetite:
# arpscan -d wlan0 -n 10.0.0.0/24 68:7f:74:b4:53:aa 10.0.0.1 00:30:67:69:12:f9 10.0.0.15 00:80:77:8d:d6:7a 10.0.0.92 3c:43:8e:09:03:4b 10.0.0.93
And here’s my virtualized test environment:
# sudo arpscan -d virbr2 -n 10.10.10.0/24 -t 1200 52:54:00:18:40:9b 10.10.10.130 52:54:00:3e:53:5e 10.10.10.129 52:54:00:61:64:db 10.10.10.132 52:54:00:a4:53:c8 10.10.10.131 52:54:00:2d:f9:16 10.10.10.123 52:54:00:2f:a9:77 10.10.10.128 52:54:00:a6:69:3b 10.10.10.124 52:54:00:c5:21:0b 10.10.10.133 aa:89:dc:f1:87:45 10.10.10.126 52:54:00:7c:a8:ae 10.10.10.121
To grab your own copy, download the code from github:
WARNING: arpscan is still very beta software (less than a day old as of this writing). It may not work well on large networks. It may not work well (or at all) on your network. I welcome bug reports and patches, the latter moreso than the former.