Arp-Scan Command Tutorial With Examples

by İsmail Baydan · Published 24/03/2017 · Updated 30/11/2018

Network scanning is one of the steps of penetration testing. There are different and popular tools to scan network line masscan, nmap etc. Arp-scan is a tool specifically designed to scan network with layer 2 or mac or Ethernet arp packets.

Install

We can install arp-scan tool with the following command.

$ sudo apt install arp-scan -y

1	$ sudo apt install arp-scan -y

Install

Help

We can print help information with the -h option.

$ arp-scan -h

1	$ arp-scan -h

Help

Syntax

Usage: arp-scan [options] [hosts...]

1	Usage: arp-scan [options] [hosts...]

Scan Local Network

Most basic usage of arp-scan is scanning local network with a single options named --localnet or-l . This will scan whole local network with arp packets. While using arp-scan we need root privileges.

$ arp-scan  --localnet

1	$ arp-scan --localnet

Scan Local Network

Specify Network Interface

Enterprise environments requires more than one network interface for backup, load balancing etc. In this situations we need to specify network interface. We will use -i option. In the example we will use network interface named ens3 .

$ arp-scan --interface=ens3 --localnet

1	$ arp-scan --interface=ens3 --localnet

Specify Network Interface

Set Source Mac Address

During the scan process our exisiting mac address will be used. This may create some clue about the scan. We can change the source mac address during scan. This will make all sent packets have different mac address than our hardware mac address. We will use --destaddr or -T option.

$ arp-scan -T aa:bb:cc:dd:ee:ff

1	$ arp-scan -T aa:bb:cc:dd:ee:ff

Set Destination Mac Address

Another useful option is setting destination mac address with --srcaddr or -S option.

LEARN MORE What is Zenmap and How To Download, Install and Use In Windows, Linux?

$ arp-scan -S aa:bb:cc:dd:ee:ff

1	$ arp-scan -S aa:bb:cc:dd:ee:ff

Specify Vlan

In real world networks single interface can host multiple networks. This is generally done using some multiplexing protocol named Virtual Local Area Network or simply VLAN. If the interface is trunk which means interface hosts multiple VLANS we may need to specify VLAN id. We will use --vlan or -Q option to specify VLAN id. In the example we will only scan VLAN 10 .

$ arp-scan -i ens3 -Q 10

1	$ arp-scan -i ens3 -Q 10

Write Received Packets To Pcap

If the responses return by the scanned hosts are important for us we can save them in pcap format. Pcap format is supported by tools like tcpdump, wireshark etc. We will us -pcapsavefile or -W options to specify pcap file.

$ sudo arp-scan  --localnet -W scan.pcap

1	$ sudo arp-scan --localnet -W scan.pcap

Write Received Packets To Pcap

We can read pcap file with tcpdump like below.

$ tcpdump -r scan.pcap

1	$ tcpdump -r scan.pcap

To get more information about tcpdump read following tutorial.

http://www.poftut.com/tcpdump-tutorial-with-examples/

Arp-Scan Command Tutorial With Examples

Install

Help

Syntax

Scan Local Network

Specify Network Interface

Set Source Mac Address

Set Destination Mac Address

Specify Vlan

Write Received Packets To Pcap

1 Response

Leave a Reply Cancel reply

Enjoy this blog? Please spread the word :)