<p>Identifying the devices on your network is a critical security task. After all, you can't secure what you don't know. While plenty of fancy configuration management tools list the nodes on a network, sometimes the simple and straightforward utilities are best.</p><div class="ad-wrapper ad-embedded"> <div id="halfpage" class="ad ad-hp"> <script>GPT.display('halfpage')</script> </div> <div id="mu-1" class="ad ad-mu"> <script>GPT.display('mu-1')</script> </div> </div> <p>Arp-scan is a tool that discovers and identifies IPv4 network nodes by using Address Resolution Protocol (<a href="https://www.techtarget.com/searchnetworking/definition/Address-Resolution-Protocol-ARP">ARP</a>) queries to generate a comprehensive list of devices. Its use of ARP sets arp-scan well apart from scanners that rely on ping (ICMP), TCP or User Datagram Protocol (UDP) scans. Many tools operate at <a href="https://www.techtarget.com/searchnetworking/definition/OSI">OSI</a> Layer 3, such as <a href="https://www.techtarget.com/searchnetworking/tip/How-to-use-Nmap-to-scan-a-network-for-documentation">Nmap</a>. Not all network devices respond to such higher-level scans. Because ARP is a fundamental component of networking, an arp-scan query at OSI Layer 2 will almost certainly succeed.</p> <p>Arp-scan has a specific limitation. Because ARP is not routable, an arp-scan is limited to the local subnet. This is often exactly what you want: a focused, direct and easily controlled scan. For a broader network scan, consider Nmap, <a href="https://www.techtarget.com/searchNetworking/tutorial/Use-Angry-IP-Scanner-to-audit-the-network">Angry IP Scanner</a> or a similar tool.</p> <p>Let's look at how to install arp-scan, basic scan options and then evaluate use cases.</p> <section class="section main-article-chapter" data-menu-title="How to install arp-scan"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to install arp-scan</h2> <p>Installing arp-scan on your Linux penetration testing box is as simple as calling up your distribution's preferred package manager.</p> <p>For Ubuntu, Debian and similar distributions, type:</p> <p><span style="font-family: 'courier new', courier, monospace;">apt install arp-scan</span></p> <p>On Fedora, Alpine Linux, Rocky or Red Hat Enterprise Linux distros, type:</p> <p><span style="font-family: 'courier new', courier, monospace;">dnf install arp-scan</span></p> <p>On openSUSE, type:</p> <p><span style="font-family: 'courier new', courier, monospace;">zypper install arp-scan</span></p> <p>On Arch Linux, type :</p> <p><span style="font-family: 'courier new', courier, monospace;">pacman -S arp-scan</span></p> <p>Many security-oriented distributions, such as <a href="https://www.techtarget.com/searchsecurity/tip/Top-Kali-Linux-tools-and-how-to-use-them">Kali Linux</a>, include arp-scan by default.</p> <p>Mac users should <a href="https://www.techtarget.com/searchVirtualDesktop/tip/How-to-install-Homebrew-on-macOS-for-software-distribution">install the Homebrew Mac package manager</a> and then type the following command to install arp-scan:</p> <p><span style="font-family: 'courier new', courier, monospace;">brew install arp-scan</span></p> <p>The installation is more challenging for Windows users. You'll need an arp-scan port (check GitHub), the Cygwin Unix-like environment or Windows Subsystem for Linux. After installing arp-scan, run it from the Terminal. It's a command-line application.</p> <figure class="main-article-image half-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/arpscan-image-1-h.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/arpscan-image-1-h_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/arpscan-image-1-h_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/arpscan-image-1-h.jpg 1280w" alt="Screenshot of checking arp-scan installation status and version" data-credit="Damon Garn"> <figcaption> <i class="icon pictures" data-icon="z"></i>Check the arp-scan installation status and version with the arp-scan -version command. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure></section> <section class="section main-article-chapter" data-menu-title="How to run an initial scan"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to run an initial scan</h2> <p>Arp-scan works by sending ARP requests to all IP addresses in a specified range. These requests ask the receiving computers to respond to the source device with their IP address. This is an integral part of basic IP networking, so all systems should respond. Arp-scan records each response and displays the results.</p> <p>The basic arp-scan syntax relies on a user to identify a network interface and the subnet you want to scan.</p> <p><span style="font-family: 'courier new', courier, monospace;">arp-scan -I <interface-id> <subnet></span></p> <p>For example, to scan subnet 192.168.2.0/24 on interface eth1, type:</p> <p><span style="font-family: 'courier new', courier, monospace;">arp-scan -I eth1 192.168.2.0/24</span></p> <figure class="main-article-image half-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/arpscan-image2-h.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/arpscan-image2-h_half_column_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/arpscan-image2-h_half_column_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/arpscan-image2-h.jpg 1280w" alt="Screenshot of arp-scan responses" data-credit="Damon Garn" height="73" width="279"> <figcaption> <i class="icon pictures" data-icon="z"></i>The default results show responding system MAC addresses, IP addresses and interface manufacturers (if available). </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>The results include all devices that respond to the ARP query. Arp-scan identifies them by media access control (MAC) and IP address, along with the network interface card manufacturer. The scan should finish quickly, since there's not much to the protocol.</p> <p>Wireless networks also rely on MAC addresses, so you can specify your system's wireless interface as the source. This is a handy option for finding rogue wireless devices on your network.</p> <h3>Additional arp-scan options</h3> <p>Various arp-scan options can modify the tool's behavior. Combine the following with the standard scan options for greater flexibility:</p> <ul class="default-list"> <li><b><span style="font-family: 'courier new', courier, monospace;">-q </span>(quiet mode).</b> Displays only MAC and IP addresses without showing interface manufacturer information.</li> <li><b><span style="font-family: 'courier new', courier, monospace;">-x</span> (plain mode).</b> Hides the default header and footer information, making it easier to import the scan's results into other formats, such as CSV.</li> <li><b><span style="font-family: 'courier new', courier, monospace;">-g</span>.</b> Ignores any duplicate responses.</li> <li><span style="font-family: 'courier new', courier, monospace;"><strong>-r 3</strong></span><b>.</b> Specifies the number of retries (three, in this example).</li> <li><b><span style="font-family: 'courier new', courier, monospace;">-R</span>.</b> Randomizes the scan order of specified hosts.</li> </ul> <p>Review the <a href="https://linux.die.net/man/1/arp-scan" target="_blank" rel="noopener">arp-scan man page</a> for additional options. Combine the various options to gather and format the information needed.</p> <figure class="main-article-image half-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/arpscan-image3-h.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/arpscan-image3-h_half_column_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/arpscan-image3-h_half_column_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/arpscan-image3-h.jpg 1280w" alt="screenshot of expanded results from an arp-scan" data-credit="Damon Garn" height="91" width="279"> <figcaption> <i class="icon pictures" data-icon="z"></i>Use one or more -v options for more detailed output results. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>The <span style="font-family: 'courier new', courier, monospace;">arp-fingerprint</span> command is part of the arp-scan package. Use it to target a single host.</p> <p>Increase the arp-scan output verbosity by using the <span style="font-family: 'courier new', courier, monospace;">-v</span> option. The results display scan passes in progress, packet length details, debug information and more. Use multiple v options for greater detail (such as<span style="font-family: 'courier new', courier, monospace;"> -vvv</span>).</p></section> <section class="section main-article-chapter" data-menu-title="Arp-scan use cases"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Arp-scan use cases</h2> <p>Keep in mind that arp-scan does not attempt to hide from intrusion detection systems or other scan prevention tools. Its queries are obvious and noisy. If you prefer a stealthy scan, consider other tools. Netdiscover, for example, might be a good alternative. ARP traffic, however, is a normal part of networking, so other communications could camouflage your scan.</p> <p>Use arp-scan in any scenario where detecting network nodes is crucial but hiding your actions is not. Consider the following examples:</p> <ul class="default-list"> <li>Network mapping and reconnaissance. Map networks for security audits or scan for unexpected and unknown devices.</li> <li><a href="https://www.techtarget.com/searchsecurity/definition/white-hat">Ethical hacking</a>. Map networks and identify devices during pen testing or other legitimate security activities.</li> <li>Troubleshooting. Identify active network nodes as part of a larger troubleshooting process.</li> </ul> <p>Other network scanners, such as Nmap, work one layer higher in the OSI model than arp-scan. This provides greater functionality, but it also limits some of their usefulness. Since arp-scan operates at OSI Layer 2, it scans only the local segment. It will, however, find nodes other scanners might miss. Combine arp-scan and Nmap scans for best results. An arp-scan's simplicity is its greatest asset.</p> <p><i>Damon Garn owns Cogspinner Coaction and provides freelance IT writing and editing services. He has written multiple CompTIA study guides, including the Linux+, Cloud Essentials+ and Server+ guides, and contributes extensively to Informa TechTarget, The New Stack and CompTIA blogs.</i></p></section>
![https://www.techtarget.com/rms/onlineimages/arpscan-image-1-h.jpg">](https://www.techtarget.com/rms/onlineimages/arpscan-image-1-h.jpg">){kind=link}
![https://www.techtarget.com/rms/onlineimages/arpscan-image2-h.jpg">](https://www.techtarget.com/rms/onlineimages/arpscan-image2-h.jpg">){kind=link}
![https://www.techtarget.com/rms/onlineimages/arpscan-image3-h.jpg">](https://www.techtarget.com/rms/onlineimages/arpscan-image3-h.jpg">){kind=link}
