Teru Komaki's Blog (Temporary)

macOSでarp-scanコマンドを使ってRaspberry Piのipを調べる

Linuxではデフォルトでインストールされているarp-scanコマンド。

macOSで利用する場合は、Homebrewでインストールしましょう。

1brew install arp-scan

インストールできました。

ラズパイにsshする時に必要になるipアドレスを調べてみましょう。

 1sudo arp-scan -l
 2Password:
 3Interface: en0, datalink type: EN10MB (Ethernet)
 4Starting arp-scan 1.9.5 with 256 hosts (https://github.com/royhills/arp-scan)
 5192.168.100.1   00:a0:de:6a:ac:51       YAMAHA CORPORATION
 6192.168.100.2   f0:99:bf:04:35:98       Apple, Inc.
 7192.168.100.3   f0:99:bf:04:35:98       Apple, Inc.
 8192.168.100.4   00:b3:62:dc:f9:91       (Unknown)
 9192.168.100.20  00:22:cf:fa:57:b3       PLANEX COMMUNICATIONS INC.
10192.168.100.6   dc:ef:ca:89:91:d6       (Unknown)
11192.168.100.9   d8:00:4d:ee:5c:7d       Apple, Inc.
12192.168.100.12  60:f8:1d:be:e2:ac       Apple, Inc.
13192.168.100.15  78:88:6d:c3:86:58       (Unknown)
14
15518 packets received by filter, 0 packets dropped by kernel
16Ending arp-scan 1.9.5: 256 hosts scanned in 1.851 seconds (138.30 hosts/sec). 10 responded

ラズパイにはPLANEXの無線LAN子機をつけているので、今回の場合は192.168.100.20になります。

1ssh [email protected]

arp-scan便利ですね。

しかし、Apple製品多いな…

manをはっておこう…

1man arp-scan
  1ARP-SCAN(1)                                                        ARP-SCAN(1)
  2
  3
  4
  5NNAAMMEE
  6       arp-scan - The ARP scanner
  7
  8SSYYNNOOPPSSIISS
  9       aarrpp--ssccaann [_o_p_t_i_o_n_s] [_h_o_s_t_s...]
 10
 11       Target  hosts  must  be specified on the command line unless the ----ffiillee
 12       option is given, in which case the targets are read from the  specified
 13       file  instead, or the ----llooccaallnneett option is used, in which case the tar-
 14       gets are generated from the network interface IP address and netmask.
 15
 16       You will need to be root, or aarrpp--ssccaann must be SUID root,  in  order  to
 17       run  aarrpp--ssccaann,  because  the  functions  that it uses to read and write
 18       packets require root privilege.
 19
 20       The target hosts can be specified as IP addresses  or  hostnames.   You
 21       can  also specify the target as IIPPnneettwwoorrkk//bbiittss (e.g. 192.168.1.0/24) to
 22       specify all hosts in the given network (network and broadcast addresses
 23       included), IIPPssttaarrtt--IIPPeenndd (e.g. 192.168.1.3-192.168.1.27) to specify all
 24       hosts   in   the   inclusive   range,   or   IIPPnneettwwoorrkk::NNeettMMaasskk    (e.g.
 25       192.168.1.0:255.255.255.0)  to  specify  all hosts in the given network
 26       and mask.
 27
 28DDEESSCCRRIIPPTTIIOONN
 29       aarrpp--ssccaann sends ARP packets to hosts on the local network  and  displays
 30       any  responses  that  are received. The network interface to use can be
 31       specified with the ----iinntteerrffaaccee option. If this option is  not  present,
 32       aarrpp--ssccaann will search the system interface list for the lowest numbered,
 33       configured up interface (excluding  loopback).   By  default,  the  ARP
 34       packets  are sent to the Ethernet broadcast address, ff:ff:ff:ff:ff:ff,
 35       but that can be changed with the ----ddeessttaaddddrr option.
 36
 37       The target hosts to scan may be specified in  one  of  three  ways:  by
 38       specifying  the  targets on the command line; by specifying a file con-
 39       taining the targets with  the  ----ffiillee  option;  or  by  specifying  the
 40       ----llooccaallnneett  option  which  causes  all  possible  hosts  on the network
 41       attached to the interface (as defined  by  the  interface  address  and
 42       mask)  to  be scanned. For hosts specified on the command line, or with
 43       the ----ffiillee option, you can use either IP addresses or  hostnames.   You
 44       can  also  use network specifications IIPPnneettwwoorrkk//bbiittss, IIPPssttaarrtt--IIPPeenndd, or
 45       IIPPnneettwwoorrkk::NNeettMMaasskk.
 46
 47       The list of target hosts is stored in memory.  Each host in  this  list
 48       uses  28  bytes of memory, so scanning a Class-B network (65,536 hosts)
 49       requires about 1.75MB of memory for the list, and  scanning  a  Class-A
 50       (16,777,216 hosts) requires about 448MB.
 51
 52       aarrpp--ssccaann  supports Ethernet and 802.11 wireless networks. It could also
 53       support token ring and FDDI, but they have not been tested. It does not
 54       support  serial links such as PPP or SLIP, because ARP is not supported
 55       on them.
 56
 57       The ARP protocol is a layer-2 (datalink layer) protocol that is used to
 58       determine  a  host's  layer-2 address given its layer-3 (network layer)
 59       address. ARP was designed to work with any layer-2 and layer-3  address
 60       format,  but  the  most  common  use is to map IP addresses to Ethernet
 61       hardware addresses, and this is what aarrpp--ssccaann supports. ARP only  oper-
 62       ates  on the local network, and cannot be routed. Although the ARP pro-
 63       tocol makes use of IP addresses, it is not  an  IP-based  protocol  and
 64       aarrpp--ssccaann can be used on an interface that is not configured for IP.
 65
 66       ARP is only used by IPv4 hosts. IPv6 uses NDP (neighbour discovery pro-
 67       tocol) instead, which is a different protocol and is not  supported  by
 68       aarrpp--ssccaann.
 69
 70       One  ARP  packet is sent for each for each target host, with the target
 71       protocol address (the ar$tpa field) set to the IP address of this host.
 72       If  a  host  does not respond, then the ARP packet will be re-sent once
 73       more.  The maximum number of retries can be changed  with  the  ----rreettrryy
 74       option.   Reducing  the number of retries will reduce the scanning time
 75       at the possible risk of missing some results due to packet loss.
 76
 77       You can specify the bandwidth that aarrpp--ssccaann will use for  the  outgoing
 78       ARP  packets  with the ----bbaannddwwiiddtthh option.  By default, it uses a band-
 79       width of 256000 bits per second. Increasing the bandwidth  will  reduce
 80       the  scanning time, but setting the bandwidth too high may result in an
 81       ARP storm which can disrupt network operation.  Also, setting the band-
 82       width  too  high can send packets faster than the network interface can
 83       transmit them, which will eventually fill the kernel's transmit  buffer
 84       resulting in the error message: _N_o _b_u_f_f_e_r _s_p_a_c_e _a_v_a_i_l_a_b_l_e.  Another way
 85       to specify the outgoing ARP packet rate is with the ----iinntteerrvvaall  option,
 86       which is an alternative way to modify the same underlying parameter.
 87
 88       The  time  taken to perform a single-pass scan (i.e. with ----rreettrryy==11) is
 89       given by:
 90
 91       time = n*i + t + o
 92
 93       Where _n is the number of hosts in the list,  _i  is  the  time  interval
 94       between  packets (specified with ----iinntteerrvvaall, or calculated from ----bbaanndd--
 95       wwiiddtthh), _t is the timeout value (specified with ----ttiimmeeoouutt) and _o is  the
 96       overhead  time  taken  to  load  the targets into the list and read the
 97       MAC/Vendor mapping files.  For small lists of hosts, the timeout  value
 98       will  dominate,  but  for  large  lists the packet interval is the most
 99       important value.
100
101       With 65,536 hosts, the default bandwidth of 256,000 bits/second  (which
102       results in a packet interval of 2ms), the default timeout of 500ms, and
103       a single pass ( ----rreettrryy==11), and assuming an overhead of 1  second,  the
104       scan would take 65536*0.002 + 0.5 + 1 = 132.57 seconds, or about 2 min-
105       utes 13 seconds.
106
107       Any part of the outgoing ARP packet may be modified through the use  of
108       the  various  ----aarrppXXXXXX  options.   The use of some of these options may
109       make the outgoing ARP packet non  RFC  compliant.  Different  operating
110       systems  handle the various non standard ARP packets in different ways,
111       and this may be used to fingerprint  these  systems.   See  aarrpp--ffiinnggeerr--
112       pprriinntt(1)  for  information  about  a script which uses these options to
113       fingerprint the target operating system.
114
115       The table below summarises the options that  change  the  outgoing  ARP
116       packet. In this table, the _F_i_e_l_d column gives the ARP packet field name
117       from RFC 826, _B_i_t_s specifies the number of bits in  the  field,  _O_p_t_i_o_n
118       shows  the  aarrpp--ssccaann  option  to modify this field, and _N_o_t_e_s gives the
119       default value and any other notes.
120
121       +---------------------------------------------------------------+
122       |                 OOuuttggooiinngg AARRPP PPaacckkeett OOppttiioonnss                   |
123       +-------+------+----------+-------------------------------------+
124       |FFiieelldd  | BBiittss | OOppttiioonn   | NNootteess                               |
125       +-------+------+----------+-------------------------------------+
126       |ar$hrd | 16   | --arphrd | Default is 1 (ARPHRD_ETHER)         |
127       |ar$pro | 16   | --arppro | Default is 0x0800                   |
128       |ar$hln | 8    | --arphln | Default is 6 (ETH_ALEN)             |
129       |ar$pln | 8    | --arppln | Default is 4 (IPv4)                 |
130       |ar$op  | 16   | --arpop  | Default is 1 (ARPOP_REQUEST)        |
131       |ar$sha | 48   | --arpsha | Default is interface h/w address    |
132       |ar$spa | 32   | --arpspa | Default is interface IP address     |
133       |ar$tha | 48   | --arptha | Default is zero (00:00:00:00:00:00) |
134       |ar$tpa | 32   | None     | Set to the target host IP address   |
135       +-------+------+----------+-------------------------------------+
136
137       The most commonly used outgoing ARP packet option  is  ----aarrppssppaa,  which
138       sets  the  source IP address in the ARP packet.  This option allows the
139       outgoing ARP packet to use a different source IP address from the  out-
140       going  interface  address.  With this option it is possible to use aarrpp--
141       ssccaann on an interface with no IP address configured, which can be useful
142       if  you want to ensure that the testing host does not interact with the
143       network being tested.
144
145       WWaarrnniinngg:: SSeettttiinngg aarr$$ssppaa ttoo tthhee ddeessttiinnaattiioonn IIPP aaddddrreessss ccaann ddiissrruupptt  ssoommee
146       ooppeerraattiinngg  ssyysstteemmss,, aass tthheeyy aassssuummee tthheerree iiss aann IIPP aaddddrreessss ccllaasshh iiff tthheeyy
147       rreecceeiivvee aann AARRPP rreeqquueesstt ffoorr tthheeiirr oowwnn aaddddrreessss..
148
149       It is also possible to change the values in the Ethernet  frame  header
150       that  precedes  the ARP packet in the outgoing packets. The table below
151       summarises the options that change values in the Ethernet frame header.
152
153       +-------------------------------------------------------------------+
154       |                 OOuuttggooiinngg EEtthheerrnneett FFrraammee OOppttiioonnss                   |
155       +---------------+------+-------------+------------------------------+
156       |FFiieelldd          | BBiittss | OOppttiioonn      | NNootteess                        |
157       +---------------+------+-------------+------------------------------+
158       |Dest Address   | 48   | --destaddr  | Default is ff:ff:ff:ff:ff:ff |
159       |Source Address | 48   | --srcaddr   | Default is interface address |
160       |Protocol Type  | 16   | --prototype | Default is 0x0806            |
161       +---------------+------+-------------+------------------------------+
162
163       The  most  commonly  used outgoing Ethernet frame option is ----ddeessttaaddddrr,
164       which sets the destination Ethernet address for the ARP packet.  ----pprroo--
165       ttoottyyppee is not often used, because it will cause the packet to be inter-
166       preted as a different Ethernet protocol.
167
168       Any ARP responses that are received are displayed in the following for-
169       mat:
170
171       <IP Address>   <Hardware Address>   <Vendor Details>
172
173       Where  IIPP  AAddddrreessss is the IP address of the responding target, HHaarrddwwaarree
174       AAddddrreessss is its  Ethernet  hardware  address  (also  known  as  the  MAC
175       address)  and  VVeennddoorr  DDeettaaiillss are the vendor details, decoded from the
176       hardware address.  The output fields are  separated  by  a  single  tab
177       character.
178
179       The  responses  are  displayed in the order they are received, which is
180       not always the same order as the requests were sent because some  hosts
181       may respond faster than others.
182
183       The  vendor decoding uses the files _i_e_e_e_-_o_u_i_._t_x_t, _i_e_e_e_-_i_a_b_._t_x_t and _m_a_c_-
184       _v_e_n_d_o_r_._t_x_t, which are supplied with  aarrpp--ssccaann.   The  _i_e_e_e_-_o_u_i_._t_x_t  and
185       _i_e_e_e_-_i_a_b_._t_x_t  files are generated from the OUI and IAB data on the IEEE
186       website at _h_t_t_p_:_/_/_s_t_a_n_d_a_r_d_s_-_o_u_i_._i_e_e_e_._o_r_g_/_o_u_i_/_o_u_i_._t_x_t  and  _h_t_t_p_:_/_/_s_t_a_n_-
187       _d_a_r_d_s_._i_e_e_e_._o_r_g_/_r_e_g_a_u_t_h_/_o_u_i_/_i_a_b_._t_x_t.   The Perl scripts ggeett--oouuii and ggeett--
188       iiaabb, which are included in the aarrpp--ssccaann package, can be used to  update
189       these  files  with the latest data from the IEEE website.  The _m_a_c_-_v_e_n_-
190       _d_o_r_._t_x_t file contains other MAC to Vendor mappings that are not covered
191       by  the IEEE OUI and IAB files, and can be used to add custom mappings.
192
193       Almost all hosts that support IP  will  respond  to  aarrpp--ssccaann  if  they
194       receive  an ARP packet with the target protocol address (ar$tpa) set to
195       their IP address.  This includes firewalls and other hosts with IP fil-
196       tering  that drop all IP traffic from the testing system. For this rea-
197       son, aarrpp--ssccaann is a useful tool to quickly determine all the  active  IP
198       hosts on a given Ethernet network segment.
199
200OOPPTTIIOONNSS
201       Where  an  option takes a value, that value is specified as a letter in
202       angle brackets. The letter indicates the type of data that is expected:
203
204       <<ss>>    A character string, e.g. --file=hostlist.txt.
205
206       <<ii>>    An  integer,  which can be specified as a decimal number or as a
207              hexadecimal number if preceeded with 0x, e.g.  --arppro=2048  or
208              --arpro=0x0800.
209
210       <<ff>>    A floating point decimal number, e.g. --backoff=1.5.
211
212       <<mm>>    An  Ethernet  MAC  address, which can be specified either in the
213              format 01:23:45:67:89:ab, or as  01-23-45-67-89-ab.  The  alpha-
214              betic  hex  characters  may  be either upper or lower case. E.g.
215              --arpsha=01:23:45:67:89:ab.
216
217       <<aa>>    An IPv4 address, e.g. --arpspa=10.0.0.1
218
219       <<hh>>    Binary data specified as a hexadecimal string, which should  not
220              include  a  leading  0x.  The  alphabetic  hex characters may be
221              either upper or lower case. E.g. --padding=aaaaaaaaaaaa
222
223       <<xx>>    Something else. See the description of the option for details.
224
225       ----hheellpp oorr --hh
226              Display this usage message and exit.
227
228       ----ffiillee==<<ss>> oorr --ff <<ss>>
229              Read hostnames or addresses from the specified file  instead  of
230              from  the command line. One name or IP address per line. Use "-"
231              for standard input.
232
233       ----llooccaallnneett oorr --ll
234              Generate addresses from network  interface  configuration.   Use
235              the  network  interface  IP address and network mask to generate
236              the list of target host addresses.  The list  will  include  the
237              network  and  broadcast  addresses,  so  an interface address of
238              10.0.0.1 with netmask 255.255.255.0 would  generate  256  target
239              hosts  from  10.0.0.0  to 10.0.0.255 inclusive.  If you use this
240              option, you cannot specify the --file option or specify any tar-
241              get hosts on the command line.  The interface specifications are
242              taken from the interface that arp-scan will use,  which  can  be
243              changed with the --interface option.
244
245       ----rreettrryy==<<ii>> oorr --rr <<ii>>
246              Set total number of attempts per host to <i>, default=2.
247
248       ----ttiimmeeoouutt==<<ii>> oorr --tt <<ii>>
249              Set initial per host timeout to <i> ms, default=500.  This time-
250              out is for the first packet sent to each host.  subsequent time-
251              outs  are  multiplied  by  the  backoff factor which is set with
252              --backoff.
253
254       ----iinntteerrvvaall==<<xx>> oorr --ii <<xx>>
255              Set minimum packet interval to <x>.  This controls the  outgoing
256              bandwidth  usage  by  limiting  the rate at which packets can be
257              sent. The packet interval will be no smaller than  this  number.
258              If you want to use up to a given bandwidth, then it is easier to
259              use the --bandwidth option instead.  The interval  specified  is
260              in  milliseconds  by  default,  or  in  microseconds  if  "u" is
261              appended to the value.
262
263       ----bbaannddwwiiddtthh==<<xx>> oorr --BB <<xx>>
264              Set desired outbound  bandwidth  to  <x>,  default=256000.   The
265              value is in bits per second by default. If you append "K" to the
266              value, then the units are kilobits per sec; and  if  you  append
267              "M"  to  the  value, the units are megabits per second.  The "K"
268              and "M" suffixes represent the decimal, not  binary,  multiples.
269              So  64K is 64000, not 65536.  You cannot specify both --interval
270              and --bandwidth because they are just different ways  to  change
271              the same underlying parameter.
272
273       ----bbaacckkooffff==<<ff>> oorr --bb <<ff>>
274              Set  timeout  backoff factor to <f>, default=1.50.  The per-host
275              timeout is multiplied by this factor after each timeout. So,  if
276              the  number  of  retries  is  3, the initial per-host timeout is
277              500ms and the backoff factor is 1.5, then the first timeout will
278              be 500ms, the second 750ms and the third 1125ms.
279
280       ----vveerrbboossee oorr --vv
281              Display  verbose  progress  messages.   Use  more  than once for
282              greater effect:
283
284              1 - Display the network address and mask used when the  --local-
285              net  option  is  specified,  display any nonzero packet padding,
286              display packets received from unknown hosts, and show when  each
287              pass through the list completes.
288
289              2 - Show each packet sent and received, when entries are removed
290              from the list, the pcap filter string, and counts of  MAC/Vendor
291              mapping entries.
292
293              3 - Display the host list before scanning starts.
294
295       ----vveerrssiioonn oorr --VV
296              Display program version and exit.
297
298       ----rraannddoomm oorr --RR
299              Randomise  the  host  list.  This option randomises the order of
300              the hosts in the host list, so the ARP packets are sent  to  the
301              hosts in a random order. It uses the Knuth shuffle algorithm.
302
303       ----rraannddoommsseeeedd==<<ii>>
304              Use <i> to seed the pseudo random number generator.  This option
305              seeds the PRNG with the specified number, which can be useful if
306              you want to ensure that the random host list is reproducable. By
307              default, the PRNG is seeded with an  unpredictable  value.  This
308              option  is  only effective in conjunction with the --random (-R)
309              option.
310
311       ----nnuummeerriicc oorr --NN
312              IP addresses only, no hostnames.  With this  option,  all  hosts
313              must  be specified as IP addresses. Hostnames are not permitted.
314              No DNS lookups will be performed.
315
316       ----ssnnaapp==<<ii>> oorr --nn <<ii>>
317              Set the pcap snap length to <i>. Default=64.  This specifies the
318              frame capture length. This length includes the data-link header.
319              The default is normally sufficient.
320
321       ----iinntteerrffaaccee==<<ss>> oorr --II <<ss>>
322              Use network interface <s>.  If this  option  is  not  specified,
323              arp-scan  will  search  the system interface list for the lowest
324              numbered, configured up  interface  (excluding  loopback).   The
325              interface specified must support ARP.
326
327       ----qquuiieett oorr --qq
328              Only  display  minimal  output.  No  protocol decoding.  If this
329              option is specified, then only the IP address  and  MAC  address
330              are displayed for each responding host.  No protocol decoding is
331              performed and the OUI mapping files are not used.
332
333       ----ppllaaiinn oorr --xx
334              Display plain output showing only responding hosts.  This option
335              supresses  the  printing of the header and footer text, and only
336              displays one line for each responding host. Useful if the output
337              will be parsed by a script.
338
339       ----iiggnnoorreedduuppss oorr --gg
340              Don't  display duplicate packets.  By default, duplicate packets
341              are displayed and are flagged with "(DUP: n)".
342
343       ----oouuiiffiillee==<<ss>> oorr --OO <<ss>>
344              Use IEEE Ethernet OUI to  vendor  mapping  file  <s>.   If  this
345              option is not specified, the default filename is ieee-oui.txt in
346              the current directory. If that  is  not  found,  then  the  file
347              /usr/local/share/arp-scan/ieee-oui.txt is used.
348
349       ----iiaabbffiillee==<<ss>> oorr --OO <<ss>>
350              Use  IEEE  Ethernet  IAB  to  vendor  mapping file <s>.  If this
351              option is not specified, the default filename is ieee-iab.txt in
352              the  current  directory.  If  that  is  not found, then the file
353              /usr/local/share/arp-scan/ieee-iab.txt is used.
354
355       ----mmaaccffiillee==<<ss>> oorr --OO <<ss>>
356              Use custom Ethernet MAC to vendor mapping  file  <s>.   If  this
357              option  is not specified, the default filename is mac-vendor.txt
358              in the current directory. If that is not found,  then  the  file
359              /usr/local/share/arp-scan/mac-vendor.txt is used.
360
361       ----ssrrccaaddddrr==<<mm>> oorr --SS <<mm>>
362              Set  the  source  Ethernet  MAC  address  to <m>.  This sets the
363              48-bit hardware address in the Ethernet frame header for  outgo-
364              ing  ARP packets. It does not change the hardware address in the
365              ARP packet, see --arpsha for  details  on  how  to  change  that
366              address.   The  default  is the Ethernet address of the outgoing
367              interface.
368
369       ----ddeessttaaddddrr==<<mm>> oorr --TT <<mm>>
370              Send the packets to Ethernet  MAC  address  <m>  This  sets  the
371              48-bit  destination  address  in the Ethernet frame header.  The
372              default is the broadcast address ff:ff:ff:ff:ff:ff.  Most  oper-
373              ating  systems  will  also respond if the ARP request is sent to
374              their MAC address, or to a multicast address that they are  lis-
375              tening on.
376
377       ----aarrppsshhaa==<<mm>> oorr --uu <<mm>>
378              Use  <m> as the ARP source Ethernet address This sets the 48-bit
379              ar$sha field in the ARP packet It does not change  the  hardware
380              address in the frame header, see --srcaddr for details on how to
381              change that address. The default is the Ethernet address of  the
382              outgoing interface.
383
384       ----aarrpptthhaa==<<mm>> oorr --ww <<mm>>
385              Use  <m> as the ARP target Ethernet address This sets the 48-bit
386              ar$tha field in the ARP packet The default is zero, because this
387              field is not used for ARP request packets.
388
389       ----pprroottoottyyppee==<<ii>> oorr --yy <<ii>>
390              Set  the  Ethernet  protocol  type to <i>, default=0x0806.  This
391              sets the 16-bit  protocol  type  field  in  the  Ethernet  frame
392              header.   Setting this to a non-default value will result in the
393              packet being ignored by the target, or sent to the wrong  proto-
394              col stack.
395
396       ----aarrpphhrrdd==<<ii>> oorr --HH <<ii>>
397              Use  <i>  for  the  ARP hardware type, default=1.  This sets the
398              16-bit ar$hrd field in the ARP packet.  The normal  value  is  1
399              (ARPHRD_ETHER).  Most,  but not all, operating systems will also
400              respond to 6 (ARPHRD_IEEE802). A  few  systems  respond  to  any
401              value.
402
403       ----aarrpppprroo==<<ii>> oorr --pp <<ii>>
404              Use  <i>  for  the ARP protocol type, default=0x0800.  This sets
405              the 16-bit ar$pro field in the ARP packet.  Most operating  sys-
406              tems  only  respond  to  0x0800  (IPv4) but some will respond to
407              other values as well.
408
409       ----aarrpphhllnn==<<ii>> oorr --aa <<ii>>
410              Set the hardware address length to <i>,  default=6.   This  sets
411              the  8-bit  ar$hln field in the ARP packet.  It sets the claimed
412              length of the hardware address in the ARP packet. Setting it  to
413              any  value  other  than the default will make the packet non RFC
414              compliant.  Some operating  systems  may  still  respond  to  it
415              though.   Note  that the actual lengths of the ar$sha and ar$tha
416              fields in the ARP packet are not changed by this option; it only
417              changes the ar$hln field.
418
419       ----aarrppppllnn==<<ii>> oorr --PP <<ii>>
420              Set  the  protocol  address length to <i>, default=4.  This sets
421              the 8-bit ar$pln field in the ARP packet.  It sets  the  claimed
422              length  of the protocol address in the ARP packet. Setting it to
423              any value other than the default will make the  packet  non  RFC
424              compliant.   Some  operating  systems  may  still  respond to it
425              though.  Note that the actual lengths of the ar$spa  and  ar$tpa
426              fields in the ARP packet are not changed by this option; it only
427              changes the ar$pln field.
428
429       ----aarrppoopp==<<ii>> oorr --oo <<ii>>
430              Use <i> for the ARP operation, default=1.  This sets the  16-bit
431              ar$op field in the ARP packet.  Most operating systems will only
432              respond to the value 1 (ARPOP_REQUEST).  However,  some  systems
433              will respond to other values as well.
434
435       ----aarrppssppaa==<<aa>> oorr --ss <<aa>>
436              Use  <a> as the source IP address.  The address should be speci-
437              fied in dotted quad format; or the literal string "dest",  which
438              sets  the  source  address  to  be  the  same as the target host
439              address.  This sets the 32-bit ar$spa field in the  ARP  packet.
440              Some  operating systems check this, and will only respond if the
441              source address is within the network of the receiving interface.
442              Others  don't  care, and will respond to any source address.  By
443              default, the outgoing interface address is used.
444
445              WARNING: Setting ar$spa to the destination IP address  can  dis-
446              rupt  some  operating  systems,  as  they  assume there is an IP
447              address clash if they receive  an  ARP  request  for  their  own
448              address.
449
450       ----ppaaddddiinngg==<<hh>> oorr --AA <<hh>>
451              Specify  padding after packet data.  Set the padding data to hex
452              value <h>. This data is appended to the end of the  ARP  packet,
453              after the data.  Most, if not all, operating systems will ignore
454              any padding. The default is no padding,  although  the  Ethernet
455              driver  on  the sending system may pad the packet to the minimum
456              Ethernet frame length.
457
458       ----llllcc oorr --LL
459              Use RFC 1042 LLC framing with SNAP.  This option causes the out-
460              going  ARP  packets to use IEEE 802.2 framing with a SNAP header
461              as described in RFC 1042. The  default  is  to  use  Ethernet-II
462              framing.   arp-scan will decode and display received ARP packets
463              in either Ethernet-II or IEEE 802.2 formats irrespective of this
464              option.
465
466       ----vvllaann==<<ii>> oorr --QQ <<ii>>
467              Use  802.1Q  tagging  with  VLAN id <i>.  This option causes the
468              outgoing ARP packets to use 802.1Q VLAN tagging with a  VLAN  ID
469              of  <i>, which should be in the range 0 to 4095 inclusive.  arp-
470              scan will always decode and  display  received  ARP  packets  in
471              802.1Q format irrespective of this option.
472
473       ----ppccaappssaavveeffiillee==<<ss>> oorr --WW <<ss>>
474              Write received packets to pcap savefile <s>.  This option causes
475              received ARP responses to be written to the specified pcap save-
476              file  as  well as being decoded and displayed. This savefile can
477              be analysed with programs that understand the pcap file  format,
478              such as "tcpdump" and "wireshark".
479
480       ----rrtttt oorr --DD
481              Display the packet round-trip time.
482
483FFIILLEESS
484       _/_u_s_r_/_l_o_c_a_l_/_s_h_a_r_e_/_a_r_p_-_s_c_a_n_/_i_e_e_e_-_o_u_i_._t_x_t
485              List  of IEEE OUI (Organisationally Unique Identifier) to vendor
486              mappings.
487
488       _/_u_s_r_/_l_o_c_a_l_/_s_h_a_r_e_/_a_r_p_-_s_c_a_n_/_i_e_e_e_-_i_a_b_._t_x_t
489              List of IEEE IAB (Individual Address Block) to vendor  mappings.
490
491       _/_u_s_r_/_l_o_c_a_l_/_s_h_a_r_e_/_a_r_p_-_s_c_a_n_/_m_a_c_-_v_e_n_d_o_r_._t_x_t
492              List of other Ethernet MAC to vendor mappings.
493
494EEXXAAMMPPLLEESS
495       The  example  below  shows  aarrpp--ssccaann  being  used  to  scan the network
496       _1_9_2_._1_6_8_._0_._0_/_2_4 using the network interface _e_t_h_0.
497
498       $ arp-scan --interface=eth0 192.168.0.0/24
499       Interface: eth0, datalink type: EN10MB (Ethernet)
500       Starting arp-scan 1.4 with 256 hosts (http://www.nta-monitor.com/tools-resources/security-tools/arp-scan/)
501       192.168.0.1     00:c0:9f:09:b8:db       QUANTA COMPUTER, INC.
502       192.168.0.3     00:02:b3:bb:66:98       Intel Corporation
503       192.168.0.5     00:02:a5:90:c3:e6       Compaq Computer Corporation
504       192.168.0.6     00:c0:9f:0b:91:d1       QUANTA COMPUTER, INC.
505       192.168.0.12    00:02:b3:46:0d:4c       Intel Corporation
506       192.168.0.13    00:02:a5:de:c2:17       Compaq Computer Corporation
507       192.168.0.87    00:0b:db:b2:fa:60       Dell ESG PCBA Test
508       192.168.0.90    00:02:b3:06:d7:9b       Intel Corporation
509       192.168.0.105   00:13:72:09:ad:76       Dell Inc.
510       192.168.0.153   00:10:db:26:4d:52       Juniper Networks, Inc.
511       192.168.0.191   00:01:e6:57:8b:68       Hewlett-Packard Company
512       192.168.0.251   00:04:27:6a:5d:a1       Cisco Systems, Inc.
513       192.168.0.196   00:30:c1:5e:58:7d       HEWLETT-PACKARD
514
515       13 packets received by filter, 0 packets dropped by kernel
516       Ending arp-scan: 256 hosts scanned in 3.386 seconds (75.61 hosts/sec).  13 responded
517
518       This next example shows aarrpp--ssccaann being used to scan the  local  network
519       after configuring the network interface with DHCP using _p_u_m_p.
520
521       # pump
522       # ifconfig eth0
523       eth0      Link encap:Ethernet  HWaddr 00:D0:B7:0B:DD:C7
524                 inet addr:10.0.84.178  Bcast:10.0.84.183  Mask:255.255.255.248
525                 UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
526                 RX packets:46335 errors:0 dropped:0 overruns:0 frame:0
527                 TX packets:1542776 errors:0 dropped:0 overruns:0 carrier:0
528                 collisions:1644 txqueuelen:1000
529                 RX bytes:6184146 (5.8 MiB)  TX bytes:348887835 (332.7 MiB)
530       # arp-scan --localnet
531       Interface: eth0, datalink type: EN10MB (Ethernet)
532       Starting arp-scan 1.4 with 8 hosts (http://www.nta-monitor.com/tools-resources/security-tools/arp-scan/)
533       10.0.84.179     00:02:b3:63:c7:57       Intel Corporation
534       10.0.84.177     00:d0:41:08:be:e8       AMIGO TECHNOLOGY CO., LTD.
535       10.0.84.180     00:02:b3:bd:82:9b       Intel Corporation
536       10.0.84.181     00:02:b3:1f:73:da       Intel Corporation
537
538       4 packets received by filter, 0 packets dropped by kernel
539       Ending arp-scan 1.4: 8 hosts scanned in 0.820 seconds (9.76 hosts/sec).  4 responded
540
541AAUUTTHHOORR
542       Roy Hills <[email protected]>
543
544SSEEEE AALLSSOO
545       ggeett--oouuii(1)
546
547       ggeett--iiaabb(1)
548
549       aarrpp--ffiinnggeerrpprriinntt(1)
550
551       RRFFCC 882266 - An Ethernet Address Resolution Protocol
552
553       _h_t_t_p_:_/_/_w_w_w_._n_t_a_-_m_o_n_i_t_o_r_._c_o_m_/_w_i_k_i_/ The arp-scan wiki page.
554
555       _h_t_t_p_s_:_/_/_g_i_t_h_u_b_._c_o_m_/_r_o_y_h_i_l_l_s_/_a_r_p_-_s_c_a_n The arp-scan homepage.
556
557
558
559                                August 13, 2016                    ARP-SCAN(1)