How to Use the Command 'arp-scan' (with examples)

‘Arp-scan’ is a command-line tool used to identify active devices on a network. It operates by sending Address Resolution Protocol (ARP) requests to specified IP addresses or ranges, allowing users to discover devices that are online and connected to the network. This makes it especially useful for system administrators or network engineers who need to troubleshoot network issues, ensure network security, or perform inventory assessments.

Use case 1: Scanning the Current Local Network

Code:

arp-scan --localnet

Motivation:

When attempting to gain a comprehensive overview of all devices connected to your local network, this command is particularly powerful. Whether managing a home network or overseeing a small business network, regularly scanning the local network helps in identifying unauthorized devices or to simply keep track of all connected equipment.

Explanation:

• arp-scan: Calls the arp-scan command to initiate an ARP request for scanning.
• --localnet: A flag that tells the command to automatically detect and scan the entire local network. It simplifies the process by eliminating the need to manually specify an IP address range.

Example Output:

Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9.7 with 256 hosts (http://www.nta-monitor.com/tools-resources/security-tools/arp-scan/)
192.168.1.1     00:1a:2b:3c:4d:5e       Router Inc.
192.168.1.2     11:22:33:44:55:66       Laptop-Device
192.168.1.10    00:25:96:ff:fe:12:34    Printer Co.
3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 2.004 seconds (127.77 hosts/sec). 3 responded

Use case 2: Scanning an IP Network with a Custom Bitmask

Code:

arp-scan 192.168.1.1/24

Motivation:

Specific IP networks might require precise examination due to their size, segmentation, or specific addressing policies. In environments where IP ranges are allocated per department or workgroup, segment-based scans allow for targeted network assessments.

Explanation:

• arp-scan: Initiates the ARP scan tool.
• 192.168.1.1/24: Indicates the specific network you wish to scan using CIDR notation. Here, /24 signifies a subnet mask of 255.255.255.0, targeting the IP range from 192.168.1.1 to 192.168.1.255.

Example Output:

Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9.7 with 256 hosts (http://www.nta-monitor.com/tools-resources/security-tools/arp-scan/)
192.168.1.20    aa:bb:cc:dd:ee:ff       Desktop-PC
192.168.1.45    00:11:22:33:44:55       NAS-Device
192.168.1.90    12:34:56:78:9a:bc       Smart-TV
3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 1.913 seconds (133.87 hosts/sec). 3 responded

Use case 3: Scanning an IP Network Within a Custom Range

Code:

arp-scan 127.0.0.0-127.0.0.31

Motivation:

The necessity to scan specific IP ranges comes into play when only a subset of a larger network needs to be investigated. This can be due to security audits, error diagnosis in clustered devices, or performing a quality check on allocated ranges.

Explanation:

• arp-scan: Initiates the arp-scan tool for network probing.
• 127.0.0.0-127.0.0.31: Specifies the start and end of the IP range to be scanned. This can be particularly efficient for small sub-networks or specific clusters.

Example Output:

Interface: lo, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9.7 with 32 hosts (http://www.nta-monitor.com/tools-resources/security-tools/arp-scan/)
127.0.0.10     aa:00:bb:11:cc:22       Loopback-Device
127.0.0.15     dd:44:ee:55:ff:66       Service-Node
2 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 32 hosts scanned in 0.012 seconds (500.00 hosts/sec). 2 responded

Use case 4: Scanning an IP Network with a Custom Net Mask

Code:

arp-scan 10.0.0.0:255.255.255.0

Motivation:

In networks with non-standard subnetting, it is crucial to tailor scans to match custom subnet masks for accurate device detection. This scanning approach is beneficial where IP allocation is highly controlled or in vast networks with customized subnet configurations.

Explanation:

• arp-scan: Calls upon the arp-scan utility to perform network probing.
• 10.0.0.0:255.255.255.0: Defines the network using an IP and subnet mask with a colon separator. This specifies a standard Class A network, limited to a single subnet using a subnet mask of 255.255.255.0.

Example Output:

Interface: eth1, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9.7 with 254 hosts (http://www.nta-monitor.com/tools-resources/security-tools/arp-scan/)
10.0.0.5     01:23:45:67:89:ab       IoT-Device
10.0.0.12    be:ad:de:ad:be:ef       Development-Workstation
2 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 254 hosts scanned in 1.034 seconds (245.72 hosts/sec). 2 responded

Conclusion:

‘Arp-scan’ is a versatile tool that aids network administrators in monitoring and managing networked devices effectively. By using various options such as local network scans, custom bitmasks, IP range definitions, and precise subnet masks, ‘arp-scan’ provides flexibility and precision necessary for comprehensive network surveillance. These functionalities empower users to address specific network management requirements, thereby maintaining control and security over digital environments.