macOSでarp-scanコマンドを使ってRaspberry Piのipを調べる
Linuxではデフォルトでインストールされているarp-scan
コマンド。
macOSで利用する場合は、Homebrewでインストールしましょう。
1brew install arp-scan
インストールできました。
ラズパイにsshする時に必要になるipアドレスを調べてみましょう。
1sudo arp-scan -l
2Password:
3Interface: en0, datalink type: EN10MB (Ethernet)
4Starting arp-scan 1.9.5 with 256 hosts (https://github.com/royhills/arp-scan)
5192.168.100.1 00:a0:de:6a:ac:51 YAMAHA CORPORATION
6192.168.100.2 f0:99:bf:04:35:98 Apple, Inc.
7192.168.100.3 f0:99:bf:04:35:98 Apple, Inc.
8192.168.100.4 00:b3:62:dc:f9:91 (Unknown)
9192.168.100.20 00:22:cf:fa:57:b3 PLANEX COMMUNICATIONS INC.
10192.168.100.6 dc:ef:ca:89:91:d6 (Unknown)
11192.168.100.9 d8:00:4d:ee:5c:7d Apple, Inc.
12192.168.100.12 60:f8:1d:be:e2:ac Apple, Inc.
13192.168.100.15 78:88:6d:c3:86:58 (Unknown)
14
15518 packets received by filter, 0 packets dropped by kernel
16Ending arp-scan 1.9.5: 256 hosts scanned in 1.851 seconds (138.30 hosts/sec). 10 responded
ラズパイにはPLANEX
の無線LAN子機をつけているので、今回の場合は192.168.100.20
になります。
1ssh [email protected]
arp-scan
便利ですね。
しかし、Apple製品多いな…
manをはっておこう…
1man arp-scan
1ARP-SCAN(1) ARP-SCAN(1)
2
3
4
5NNAAMMEE
6 arp-scan - The ARP scanner
7
8SSYYNNOOPPSSIISS
9 aarrpp--ssccaann [_o_p_t_i_o_n_s] [_h_o_s_t_s...]
10
11 Target hosts must be specified on the command line unless the ----ffiillee
12 option is given, in which case the targets are read from the specified
13 file instead, or the ----llooccaallnneett option is used, in which case the tar-
14 gets are generated from the network interface IP address and netmask.
15
16 You will need to be root, or aarrpp--ssccaann must be SUID root, in order to
17 run aarrpp--ssccaann, because the functions that it uses to read and write
18 packets require root privilege.
19
20 The target hosts can be specified as IP addresses or hostnames. You
21 can also specify the target as IIPPnneettwwoorrkk//bbiittss (e.g. 192.168.1.0/24) to
22 specify all hosts in the given network (network and broadcast addresses
23 included), IIPPssttaarrtt--IIPPeenndd (e.g. 192.168.1.3-192.168.1.27) to specify all
24 hosts in the inclusive range, or IIPPnneettwwoorrkk::NNeettMMaasskk (e.g.
25 192.168.1.0:255.255.255.0) to specify all hosts in the given network
26 and mask.
27
28DDEESSCCRRIIPPTTIIOONN
29 aarrpp--ssccaann sends ARP packets to hosts on the local network and displays
30 any responses that are received. The network interface to use can be
31 specified with the ----iinntteerrffaaccee option. If this option is not present,
32 aarrpp--ssccaann will search the system interface list for the lowest numbered,
33 configured up interface (excluding loopback). By default, the ARP
34 packets are sent to the Ethernet broadcast address, ff:ff:ff:ff:ff:ff,
35 but that can be changed with the ----ddeessttaaddddrr option.
36
37 The target hosts to scan may be specified in one of three ways: by
38 specifying the targets on the command line; by specifying a file con-
39 taining the targets with the ----ffiillee option; or by specifying the
40 ----llooccaallnneett option which causes all possible hosts on the network
41 attached to the interface (as defined by the interface address and
42 mask) to be scanned. For hosts specified on the command line, or with
43 the ----ffiillee option, you can use either IP addresses or hostnames. You
44 can also use network specifications IIPPnneettwwoorrkk//bbiittss, IIPPssttaarrtt--IIPPeenndd, or
45 IIPPnneettwwoorrkk::NNeettMMaasskk.
46
47 The list of target hosts is stored in memory. Each host in this list
48 uses 28 bytes of memory, so scanning a Class-B network (65,536 hosts)
49 requires about 1.75MB of memory for the list, and scanning a Class-A
50 (16,777,216 hosts) requires about 448MB.
51
52 aarrpp--ssccaann supports Ethernet and 802.11 wireless networks. It could also
53 support token ring and FDDI, but they have not been tested. It does not
54 support serial links such as PPP or SLIP, because ARP is not supported
55 on them.
56
57 The ARP protocol is a layer-2 (datalink layer) protocol that is used to
58 determine a host's layer-2 address given its layer-3 (network layer)
59 address. ARP was designed to work with any layer-2 and layer-3 address
60 format, but the most common use is to map IP addresses to Ethernet
61 hardware addresses, and this is what aarrpp--ssccaann supports. ARP only oper-
62 ates on the local network, and cannot be routed. Although the ARP pro-
63 tocol makes use of IP addresses, it is not an IP-based protocol and
64 aarrpp--ssccaann can be used on an interface that is not configured for IP.
65
66 ARP is only used by IPv4 hosts. IPv6 uses NDP (neighbour discovery pro-
67 tocol) instead, which is a different protocol and is not supported by
68 aarrpp--ssccaann.
69
70 One ARP packet is sent for each for each target host, with the target
71 protocol address (the ar$tpa field) set to the IP address of this host.
72 If a host does not respond, then the ARP packet will be re-sent once
73 more. The maximum number of retries can be changed with the ----rreettrryy
74 option. Reducing the number of retries will reduce the scanning time
75 at the possible risk of missing some results due to packet loss.
76
77 You can specify the bandwidth that aarrpp--ssccaann will use for the outgoing
78 ARP packets with the ----bbaannddwwiiddtthh option. By default, it uses a band-
79 width of 256000 bits per second. Increasing the bandwidth will reduce
80 the scanning time, but setting the bandwidth too high may result in an
81 ARP storm which can disrupt network operation. Also, setting the band-
82 width too high can send packets faster than the network interface can
83 transmit them, which will eventually fill the kernel's transmit buffer
84 resulting in the error message: _N_o _b_u_f_f_e_r _s_p_a_c_e _a_v_a_i_l_a_b_l_e. Another way
85 to specify the outgoing ARP packet rate is with the ----iinntteerrvvaall option,
86 which is an alternative way to modify the same underlying parameter.
87
88 The time taken to perform a single-pass scan (i.e. with ----rreettrryy==11) is
89 given by:
90
91 time = n*i + t + o
92
93 Where _n is the number of hosts in the list, _i is the time interval
94 between packets (specified with ----iinntteerrvvaall, or calculated from ----bbaanndd--
95 wwiiddtthh), _t is the timeout value (specified with ----ttiimmeeoouutt) and _o is the
96 overhead time taken to load the targets into the list and read the
97 MAC/Vendor mapping files. For small lists of hosts, the timeout value
98 will dominate, but for large lists the packet interval is the most
99 important value.
100
101 With 65,536 hosts, the default bandwidth of 256,000 bits/second (which
102 results in a packet interval of 2ms), the default timeout of 500ms, and
103 a single pass ( ----rreettrryy==11), and assuming an overhead of 1 second, the
104 scan would take 65536*0.002 + 0.5 + 1 = 132.57 seconds, or about 2 min-
105 utes 13 seconds.
106
107 Any part of the outgoing ARP packet may be modified through the use of
108 the various ----aarrppXXXXXX options. The use of some of these options may
109 make the outgoing ARP packet non RFC compliant. Different operating
110 systems handle the various non standard ARP packets in different ways,
111 and this may be used to fingerprint these systems. See aarrpp--ffiinnggeerr--
112 pprriinntt(1) for information about a script which uses these options to
113 fingerprint the target operating system.
114
115 The table below summarises the options that change the outgoing ARP
116 packet. In this table, the _F_i_e_l_d column gives the ARP packet field name
117 from RFC 826, _B_i_t_s specifies the number of bits in the field, _O_p_t_i_o_n
118 shows the aarrpp--ssccaann option to modify this field, and _N_o_t_e_s gives the
119 default value and any other notes.
120
121 +---------------------------------------------------------------+
122 | OOuuttggooiinngg AARRPP PPaacckkeett OOppttiioonnss |
123 +-------+------+----------+-------------------------------------+
124 |FFiieelldd | BBiittss | OOppttiioonn | NNootteess |
125 +-------+------+----------+-------------------------------------+
126 |ar$hrd | 16 | --arphrd | Default is 1 (ARPHRD_ETHER) |
127 |ar$pro | 16 | --arppro | Default is 0x0800 |
128 |ar$hln | 8 | --arphln | Default is 6 (ETH_ALEN) |
129 |ar$pln | 8 | --arppln | Default is 4 (IPv4) |
130 |ar$op | 16 | --arpop | Default is 1 (ARPOP_REQUEST) |
131 |ar$sha | 48 | --arpsha | Default is interface h/w address |
132 |ar$spa | 32 | --arpspa | Default is interface IP address |
133 |ar$tha | 48 | --arptha | Default is zero (00:00:00:00:00:00) |
134 |ar$tpa | 32 | None | Set to the target host IP address |
135 +-------+------+----------+-------------------------------------+
136
137 The most commonly used outgoing ARP packet option is ----aarrppssppaa, which
138 sets the source IP address in the ARP packet. This option allows the
139 outgoing ARP packet to use a different source IP address from the out-
140 going interface address. With this option it is possible to use aarrpp--
141 ssccaann on an interface with no IP address configured, which can be useful
142 if you want to ensure that the testing host does not interact with the
143 network being tested.
144
145 WWaarrnniinngg:: SSeettttiinngg aarr$$ssppaa ttoo tthhee ddeessttiinnaattiioonn IIPP aaddddrreessss ccaann ddiissrruupptt ssoommee
146 ooppeerraattiinngg ssyysstteemmss,, aass tthheeyy aassssuummee tthheerree iiss aann IIPP aaddddrreessss ccllaasshh iiff tthheeyy
147 rreecceeiivvee aann AARRPP rreeqquueesstt ffoorr tthheeiirr oowwnn aaddddrreessss..
148
149 It is also possible to change the values in the Ethernet frame header
150 that precedes the ARP packet in the outgoing packets. The table below
151 summarises the options that change values in the Ethernet frame header.
152
153 +-------------------------------------------------------------------+
154 | OOuuttggooiinngg EEtthheerrnneett FFrraammee OOppttiioonnss |
155 +---------------+------+-------------+------------------------------+
156 |FFiieelldd | BBiittss | OOppttiioonn | NNootteess |
157 +---------------+------+-------------+------------------------------+
158 |Dest Address | 48 | --destaddr | Default is ff:ff:ff:ff:ff:ff |
159 |Source Address | 48 | --srcaddr | Default is interface address |
160 |Protocol Type | 16 | --prototype | Default is 0x0806 |
161 +---------------+------+-------------+------------------------------+
162
163 The most commonly used outgoing Ethernet frame option is ----ddeessttaaddddrr,
164 which sets the destination Ethernet address for the ARP packet. ----pprroo--
165 ttoottyyppee is not often used, because it will cause the packet to be inter-
166 preted as a different Ethernet protocol.
167
168 Any ARP responses that are received are displayed in the following for-
169 mat:
170
171 <IP Address> <Hardware Address> <Vendor Details>
172
173 Where IIPP AAddddrreessss is the IP address of the responding target, HHaarrddwwaarree
174 AAddddrreessss is its Ethernet hardware address (also known as the MAC
175 address) and VVeennddoorr DDeettaaiillss are the vendor details, decoded from the
176 hardware address. The output fields are separated by a single tab
177 character.
178
179 The responses are displayed in the order they are received, which is
180 not always the same order as the requests were sent because some hosts
181 may respond faster than others.
182
183 The vendor decoding uses the files _i_e_e_e_-_o_u_i_._t_x_t, _i_e_e_e_-_i_a_b_._t_x_t and _m_a_c_-
184 _v_e_n_d_o_r_._t_x_t, which are supplied with aarrpp--ssccaann. The _i_e_e_e_-_o_u_i_._t_x_t and
185 _i_e_e_e_-_i_a_b_._t_x_t files are generated from the OUI and IAB data on the IEEE
186 website at _h_t_t_p_:_/_/_s_t_a_n_d_a_r_d_s_-_o_u_i_._i_e_e_e_._o_r_g_/_o_u_i_/_o_u_i_._t_x_t and _h_t_t_p_:_/_/_s_t_a_n_-
187 _d_a_r_d_s_._i_e_e_e_._o_r_g_/_r_e_g_a_u_t_h_/_o_u_i_/_i_a_b_._t_x_t. The Perl scripts ggeett--oouuii and ggeett--
188 iiaabb, which are included in the aarrpp--ssccaann package, can be used to update
189 these files with the latest data from the IEEE website. The _m_a_c_-_v_e_n_-
190 _d_o_r_._t_x_t file contains other MAC to Vendor mappings that are not covered
191 by the IEEE OUI and IAB files, and can be used to add custom mappings.
192
193 Almost all hosts that support IP will respond to aarrpp--ssccaann if they
194 receive an ARP packet with the target protocol address (ar$tpa) set to
195 their IP address. This includes firewalls and other hosts with IP fil-
196 tering that drop all IP traffic from the testing system. For this rea-
197 son, aarrpp--ssccaann is a useful tool to quickly determine all the active IP
198 hosts on a given Ethernet network segment.
199
200OOPPTTIIOONNSS
201 Where an option takes a value, that value is specified as a letter in
202 angle brackets. The letter indicates the type of data that is expected:
203
204 <<ss>> A character string, e.g. --file=hostlist.txt.
205
206 <<ii>> An integer, which can be specified as a decimal number or as a
207 hexadecimal number if preceeded with 0x, e.g. --arppro=2048 or
208 --arpro=0x0800.
209
210 <<ff>> A floating point decimal number, e.g. --backoff=1.5.
211
212 <<mm>> An Ethernet MAC address, which can be specified either in the
213 format 01:23:45:67:89:ab, or as 01-23-45-67-89-ab. The alpha-
214 betic hex characters may be either upper or lower case. E.g.
215 --arpsha=01:23:45:67:89:ab.
216
217 <<aa>> An IPv4 address, e.g. --arpspa=10.0.0.1
218
219 <<hh>> Binary data specified as a hexadecimal string, which should not
220 include a leading 0x. The alphabetic hex characters may be
221 either upper or lower case. E.g. --padding=aaaaaaaaaaaa
222
223 <<xx>> Something else. See the description of the option for details.
224
225 ----hheellpp oorr --hh
226 Display this usage message and exit.
227
228 ----ffiillee==<<ss>> oorr --ff <<ss>>
229 Read hostnames or addresses from the specified file instead of
230 from the command line. One name or IP address per line. Use "-"
231 for standard input.
232
233 ----llooccaallnneett oorr --ll
234 Generate addresses from network interface configuration. Use
235 the network interface IP address and network mask to generate
236 the list of target host addresses. The list will include the
237 network and broadcast addresses, so an interface address of
238 10.0.0.1 with netmask 255.255.255.0 would generate 256 target
239 hosts from 10.0.0.0 to 10.0.0.255 inclusive. If you use this
240 option, you cannot specify the --file option or specify any tar-
241 get hosts on the command line. The interface specifications are
242 taken from the interface that arp-scan will use, which can be
243 changed with the --interface option.
244
245 ----rreettrryy==<<ii>> oorr --rr <<ii>>
246 Set total number of attempts per host to <i>, default=2.
247
248 ----ttiimmeeoouutt==<<ii>> oorr --tt <<ii>>
249 Set initial per host timeout to <i> ms, default=500. This time-
250 out is for the first packet sent to each host. subsequent time-
251 outs are multiplied by the backoff factor which is set with
252 --backoff.
253
254 ----iinntteerrvvaall==<<xx>> oorr --ii <<xx>>
255 Set minimum packet interval to <x>. This controls the outgoing
256 bandwidth usage by limiting the rate at which packets can be
257 sent. The packet interval will be no smaller than this number.
258 If you want to use up to a given bandwidth, then it is easier to
259 use the --bandwidth option instead. The interval specified is
260 in milliseconds by default, or in microseconds if "u" is
261 appended to the value.
262
263 ----bbaannddwwiiddtthh==<<xx>> oorr --BB <<xx>>
264 Set desired outbound bandwidth to <x>, default=256000. The
265 value is in bits per second by default. If you append "K" to the
266 value, then the units are kilobits per sec; and if you append
267 "M" to the value, the units are megabits per second. The "K"
268 and "M" suffixes represent the decimal, not binary, multiples.
269 So 64K is 64000, not 65536. You cannot specify both --interval
270 and --bandwidth because they are just different ways to change
271 the same underlying parameter.
272
273 ----bbaacckkooffff==<<ff>> oorr --bb <<ff>>
274 Set timeout backoff factor to <f>, default=1.50. The per-host
275 timeout is multiplied by this factor after each timeout. So, if
276 the number of retries is 3, the initial per-host timeout is
277 500ms and the backoff factor is 1.5, then the first timeout will
278 be 500ms, the second 750ms and the third 1125ms.
279
280 ----vveerrbboossee oorr --vv
281 Display verbose progress messages. Use more than once for
282 greater effect:
283
284 1 - Display the network address and mask used when the --local-
285 net option is specified, display any nonzero packet padding,
286 display packets received from unknown hosts, and show when each
287 pass through the list completes.
288
289 2 - Show each packet sent and received, when entries are removed
290 from the list, the pcap filter string, and counts of MAC/Vendor
291 mapping entries.
292
293 3 - Display the host list before scanning starts.
294
295 ----vveerrssiioonn oorr --VV
296 Display program version and exit.
297
298 ----rraannddoomm oorr --RR
299 Randomise the host list. This option randomises the order of
300 the hosts in the host list, so the ARP packets are sent to the
301 hosts in a random order. It uses the Knuth shuffle algorithm.
302
303 ----rraannddoommsseeeedd==<<ii>>
304 Use <i> to seed the pseudo random number generator. This option
305 seeds the PRNG with the specified number, which can be useful if
306 you want to ensure that the random host list is reproducable. By
307 default, the PRNG is seeded with an unpredictable value. This
308 option is only effective in conjunction with the --random (-R)
309 option.
310
311 ----nnuummeerriicc oorr --NN
312 IP addresses only, no hostnames. With this option, all hosts
313 must be specified as IP addresses. Hostnames are not permitted.
314 No DNS lookups will be performed.
315
316 ----ssnnaapp==<<ii>> oorr --nn <<ii>>
317 Set the pcap snap length to <i>. Default=64. This specifies the
318 frame capture length. This length includes the data-link header.
319 The default is normally sufficient.
320
321 ----iinntteerrffaaccee==<<ss>> oorr --II <<ss>>
322 Use network interface <s>. If this option is not specified,
323 arp-scan will search the system interface list for the lowest
324 numbered, configured up interface (excluding loopback). The
325 interface specified must support ARP.
326
327 ----qquuiieett oorr --qq
328 Only display minimal output. No protocol decoding. If this
329 option is specified, then only the IP address and MAC address
330 are displayed for each responding host. No protocol decoding is
331 performed and the OUI mapping files are not used.
332
333 ----ppllaaiinn oorr --xx
334 Display plain output showing only responding hosts. This option
335 supresses the printing of the header and footer text, and only
336 displays one line for each responding host. Useful if the output
337 will be parsed by a script.
338
339 ----iiggnnoorreedduuppss oorr --gg
340 Don't display duplicate packets. By default, duplicate packets
341 are displayed and are flagged with "(DUP: n)".
342
343 ----oouuiiffiillee==<<ss>> oorr --OO <<ss>>
344 Use IEEE Ethernet OUI to vendor mapping file <s>. If this
345 option is not specified, the default filename is ieee-oui.txt in
346 the current directory. If that is not found, then the file
347 /usr/local/share/arp-scan/ieee-oui.txt is used.
348
349 ----iiaabbffiillee==<<ss>> oorr --OO <<ss>>
350 Use IEEE Ethernet IAB to vendor mapping file <s>. If this
351 option is not specified, the default filename is ieee-iab.txt in
352 the current directory. If that is not found, then the file
353 /usr/local/share/arp-scan/ieee-iab.txt is used.
354
355 ----mmaaccffiillee==<<ss>> oorr --OO <<ss>>
356 Use custom Ethernet MAC to vendor mapping file <s>. If this
357 option is not specified, the default filename is mac-vendor.txt
358 in the current directory. If that is not found, then the file
359 /usr/local/share/arp-scan/mac-vendor.txt is used.
360
361 ----ssrrccaaddddrr==<<mm>> oorr --SS <<mm>>
362 Set the source Ethernet MAC address to <m>. This sets the
363 48-bit hardware address in the Ethernet frame header for outgo-
364 ing ARP packets. It does not change the hardware address in the
365 ARP packet, see --arpsha for details on how to change that
366 address. The default is the Ethernet address of the outgoing
367 interface.
368
369 ----ddeessttaaddddrr==<<mm>> oorr --TT <<mm>>
370 Send the packets to Ethernet MAC address <m> This sets the
371 48-bit destination address in the Ethernet frame header. The
372 default is the broadcast address ff:ff:ff:ff:ff:ff. Most oper-
373 ating systems will also respond if the ARP request is sent to
374 their MAC address, or to a multicast address that they are lis-
375 tening on.
376
377 ----aarrppsshhaa==<<mm>> oorr --uu <<mm>>
378 Use <m> as the ARP source Ethernet address This sets the 48-bit
379 ar$sha field in the ARP packet It does not change the hardware
380 address in the frame header, see --srcaddr for details on how to
381 change that address. The default is the Ethernet address of the
382 outgoing interface.
383
384 ----aarrpptthhaa==<<mm>> oorr --ww <<mm>>
385 Use <m> as the ARP target Ethernet address This sets the 48-bit
386 ar$tha field in the ARP packet The default is zero, because this
387 field is not used for ARP request packets.
388
389 ----pprroottoottyyppee==<<ii>> oorr --yy <<ii>>
390 Set the Ethernet protocol type to <i>, default=0x0806. This
391 sets the 16-bit protocol type field in the Ethernet frame
392 header. Setting this to a non-default value will result in the
393 packet being ignored by the target, or sent to the wrong proto-
394 col stack.
395
396 ----aarrpphhrrdd==<<ii>> oorr --HH <<ii>>
397 Use <i> for the ARP hardware type, default=1. This sets the
398 16-bit ar$hrd field in the ARP packet. The normal value is 1
399 (ARPHRD_ETHER). Most, but not all, operating systems will also
400 respond to 6 (ARPHRD_IEEE802). A few systems respond to any
401 value.
402
403 ----aarrpppprroo==<<ii>> oorr --pp <<ii>>
404 Use <i> for the ARP protocol type, default=0x0800. This sets
405 the 16-bit ar$pro field in the ARP packet. Most operating sys-
406 tems only respond to 0x0800 (IPv4) but some will respond to
407 other values as well.
408
409 ----aarrpphhllnn==<<ii>> oorr --aa <<ii>>
410 Set the hardware address length to <i>, default=6. This sets
411 the 8-bit ar$hln field in the ARP packet. It sets the claimed
412 length of the hardware address in the ARP packet. Setting it to
413 any value other than the default will make the packet non RFC
414 compliant. Some operating systems may still respond to it
415 though. Note that the actual lengths of the ar$sha and ar$tha
416 fields in the ARP packet are not changed by this option; it only
417 changes the ar$hln field.
418
419 ----aarrppppllnn==<<ii>> oorr --PP <<ii>>
420 Set the protocol address length to <i>, default=4. This sets
421 the 8-bit ar$pln field in the ARP packet. It sets the claimed
422 length of the protocol address in the ARP packet. Setting it to
423 any value other than the default will make the packet non RFC
424 compliant. Some operating systems may still respond to it
425 though. Note that the actual lengths of the ar$spa and ar$tpa
426 fields in the ARP packet are not changed by this option; it only
427 changes the ar$pln field.
428
429 ----aarrppoopp==<<ii>> oorr --oo <<ii>>
430 Use <i> for the ARP operation, default=1. This sets the 16-bit
431 ar$op field in the ARP packet. Most operating systems will only
432 respond to the value 1 (ARPOP_REQUEST). However, some systems
433 will respond to other values as well.
434
435 ----aarrppssppaa==<<aa>> oorr --ss <<aa>>
436 Use <a> as the source IP address. The address should be speci-
437 fied in dotted quad format; or the literal string "dest", which
438 sets the source address to be the same as the target host
439 address. This sets the 32-bit ar$spa field in the ARP packet.
440 Some operating systems check this, and will only respond if the
441 source address is within the network of the receiving interface.
442 Others don't care, and will respond to any source address. By
443 default, the outgoing interface address is used.
444
445 WARNING: Setting ar$spa to the destination IP address can dis-
446 rupt some operating systems, as they assume there is an IP
447 address clash if they receive an ARP request for their own
448 address.
449
450 ----ppaaddddiinngg==<<hh>> oorr --AA <<hh>>
451 Specify padding after packet data. Set the padding data to hex
452 value <h>. This data is appended to the end of the ARP packet,
453 after the data. Most, if not all, operating systems will ignore
454 any padding. The default is no padding, although the Ethernet
455 driver on the sending system may pad the packet to the minimum
456 Ethernet frame length.
457
458 ----llllcc oorr --LL
459 Use RFC 1042 LLC framing with SNAP. This option causes the out-
460 going ARP packets to use IEEE 802.2 framing with a SNAP header
461 as described in RFC 1042. The default is to use Ethernet-II
462 framing. arp-scan will decode and display received ARP packets
463 in either Ethernet-II or IEEE 802.2 formats irrespective of this
464 option.
465
466 ----vvllaann==<<ii>> oorr --QQ <<ii>>
467 Use 802.1Q tagging with VLAN id <i>. This option causes the
468 outgoing ARP packets to use 802.1Q VLAN tagging with a VLAN ID
469 of <i>, which should be in the range 0 to 4095 inclusive. arp-
470 scan will always decode and display received ARP packets in
471 802.1Q format irrespective of this option.
472
473 ----ppccaappssaavveeffiillee==<<ss>> oorr --WW <<ss>>
474 Write received packets to pcap savefile <s>. This option causes
475 received ARP responses to be written to the specified pcap save-
476 file as well as being decoded and displayed. This savefile can
477 be analysed with programs that understand the pcap file format,
478 such as "tcpdump" and "wireshark".
479
480 ----rrtttt oorr --DD
481 Display the packet round-trip time.
482
483FFIILLEESS
484 _/_u_s_r_/_l_o_c_a_l_/_s_h_a_r_e_/_a_r_p_-_s_c_a_n_/_i_e_e_e_-_o_u_i_._t_x_t
485 List of IEEE OUI (Organisationally Unique Identifier) to vendor
486 mappings.
487
488 _/_u_s_r_/_l_o_c_a_l_/_s_h_a_r_e_/_a_r_p_-_s_c_a_n_/_i_e_e_e_-_i_a_b_._t_x_t
489 List of IEEE IAB (Individual Address Block) to vendor mappings.
490
491 _/_u_s_r_/_l_o_c_a_l_/_s_h_a_r_e_/_a_r_p_-_s_c_a_n_/_m_a_c_-_v_e_n_d_o_r_._t_x_t
492 List of other Ethernet MAC to vendor mappings.
493
494EEXXAAMMPPLLEESS
495 The example below shows aarrpp--ssccaann being used to scan the network
496 _1_9_2_._1_6_8_._0_._0_/_2_4 using the network interface _e_t_h_0.
497
498 $ arp-scan --interface=eth0 192.168.0.0/24
499 Interface: eth0, datalink type: EN10MB (Ethernet)
500 Starting arp-scan 1.4 with 256 hosts (http://www.nta-monitor.com/tools-resources/security-tools/arp-scan/)
501 192.168.0.1 00:c0:9f:09:b8:db QUANTA COMPUTER, INC.
502 192.168.0.3 00:02:b3:bb:66:98 Intel Corporation
503 192.168.0.5 00:02:a5:90:c3:e6 Compaq Computer Corporation
504 192.168.0.6 00:c0:9f:0b:91:d1 QUANTA COMPUTER, INC.
505 192.168.0.12 00:02:b3:46:0d:4c Intel Corporation
506 192.168.0.13 00:02:a5:de:c2:17 Compaq Computer Corporation
507 192.168.0.87 00:0b:db:b2:fa:60 Dell ESG PCBA Test
508 192.168.0.90 00:02:b3:06:d7:9b Intel Corporation
509 192.168.0.105 00:13:72:09:ad:76 Dell Inc.
510 192.168.0.153 00:10:db:26:4d:52 Juniper Networks, Inc.
511 192.168.0.191 00:01:e6:57:8b:68 Hewlett-Packard Company
512 192.168.0.251 00:04:27:6a:5d:a1 Cisco Systems, Inc.
513 192.168.0.196 00:30:c1:5e:58:7d HEWLETT-PACKARD
514
515 13 packets received by filter, 0 packets dropped by kernel
516 Ending arp-scan: 256 hosts scanned in 3.386 seconds (75.61 hosts/sec). 13 responded
517
518 This next example shows aarrpp--ssccaann being used to scan the local network
519 after configuring the network interface with DHCP using _p_u_m_p.
520
521 # pump
522 # ifconfig eth0
523 eth0 Link encap:Ethernet HWaddr 00:D0:B7:0B:DD:C7
524 inet addr:10.0.84.178 Bcast:10.0.84.183 Mask:255.255.255.248
525 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
526 RX packets:46335 errors:0 dropped:0 overruns:0 frame:0
527 TX packets:1542776 errors:0 dropped:0 overruns:0 carrier:0
528 collisions:1644 txqueuelen:1000
529 RX bytes:6184146 (5.8 MiB) TX bytes:348887835 (332.7 MiB)
530 # arp-scan --localnet
531 Interface: eth0, datalink type: EN10MB (Ethernet)
532 Starting arp-scan 1.4 with 8 hosts (http://www.nta-monitor.com/tools-resources/security-tools/arp-scan/)
533 10.0.84.179 00:02:b3:63:c7:57 Intel Corporation
534 10.0.84.177 00:d0:41:08:be:e8 AMIGO TECHNOLOGY CO., LTD.
535 10.0.84.180 00:02:b3:bd:82:9b Intel Corporation
536 10.0.84.181 00:02:b3:1f:73:da Intel Corporation
537
538 4 packets received by filter, 0 packets dropped by kernel
539 Ending arp-scan 1.4: 8 hosts scanned in 0.820 seconds (9.76 hosts/sec). 4 responded
540
541AAUUTTHHOORR
542 Roy Hills <[email protected]>
543
544SSEEEE AALLSSOO
545 ggeett--oouuii(1)
546
547 ggeett--iiaabb(1)
548
549 aarrpp--ffiinnggeerrpprriinntt(1)
550
551 RRFFCC 882266 - An Ethernet Address Resolution Protocol
552
553 _h_t_t_p_:_/_/_w_w_w_._n_t_a_-_m_o_n_i_t_o_r_._c_o_m_/_w_i_k_i_/ The arp-scan wiki page.
554
555 _h_t_t_p_s_:_/_/_g_i_t_h_u_b_._c_o_m_/_r_o_y_h_i_l_l_s_/_a_r_p_-_s_c_a_n The arp-scan homepage.
556
557
558
559 August 13, 2016 ARP-SCAN(1)