How to install arp-scan

Installing arp-scan on your Linux penetration testing box is as simple as calling up your distribution's preferred package manager.

For Ubuntu, Debian and similar distributions, type:

apt install arp-scan

On Fedora, Alpine Linux, Rocky or Red Hat Enterprise Linux distros, type:

dnf install arp-scan

On openSUSE, type:

zypper install arp-scan

On Arch Linux, type :

pacman -S arp-scan

Many security-oriented distributions, such asKali Linux, include arp-scan by default.

Mac users shouldinstall the Homebrew Mac package manager and then type the following command to install arp-scan:

brew install arp-scan

The installation is more challenging for Windows users. You'll need an arp-scan port (check GitHub), the Cygwin Unix-like environment or Windows Subsystem for Linux. After installing arp-scan, run it from the Terminal. It's a command-line application.

How to run an initial scan

Arp-scan works by sending ARP requests to all IP addresses in a specified range. These requests ask the receiving computers to respond to the source device with their IP address. This is an integral part of basic IP networking, so all systems should respond. Arp-scan records each response and displays the results.

The basic arp-scan syntax relies on a user to identify a network interface and the subnet you want to scan.

arp-scan -I <interface-id> <subnet>

For example, to scan subnet 192.168.2.0/24 on interface eth1, type:

arp-scan -I eth1 192.168.2.0/24

The results include all devices that respond to the ARP query. Arp-scan identifies them by media access control (MAC) and IP address, along with the network interface card manufacturer. The scan should finish quickly, since there's not much to the protocol.

Wireless networks also rely on MAC addresses, so you can specify your system's wireless interface as the source. This is a handy option for finding rogue wireless devices on your network.

Additional arp-scan options

Various arp-scan options can modify the tool's behavior. Combine the following with the standard scan options for greater flexibility:

• -q(quiet mode). Displays only MAC and IP addresses without showing interface manufacturer information.
• -x (plain mode). Hides the default header and footer information, making it easier to import the scan's results into other formats, such as CSV.
• -g. Ignores any duplicate responses.
• -r 3. Specifies the number of retries (three, in this example).
• -R. Randomizes the scan order of specified hosts.

Review thearp-scan man page for additional options. Combine the various options to gather and format the information needed.

Thearp-fingerprint command is part of the arp-scan package. Use it to target a single host.

Increase the arp-scan output verbosity by using the-v option. The results display scan passes in progress, packet length details, debug information and more. Use multiple v options for greater detail (such as -vvv).

Arp-scan use cases

Keep in mind that arp-scan does not attempt to hide from intrusion detection systems or other scan prevention tools. Its queries are obvious and noisy. If you prefer a stealthy scan, consider other tools. Netdiscover, for example, might be a good alternative. ARP traffic, however, is a normal part of networking, so other communications could camouflage your scan.

Use arp-scan in any scenario where detecting network nodes is crucial but hiding your actions is not. Consider the following examples:

• Network mapping and reconnaissance. Map networks for security audits or scan for unexpected and unknown devices.
• Ethical hacking. Map networks and identify devices during pen testing or other legitimate security activities.
• Troubleshooting. Identify active network nodes as part of a larger troubleshooting process.

Other network scanners, such as Nmap, work one layer higher in the OSI model than arp-scan. This provides greater functionality, but it also limits some of their usefulness. Since arp-scan operates at OSI Layer 2, it scans only the local segment. It will, however, find nodes other scanners might miss. Combine arp-scan and Nmap scans for best results. An arp-scan's simplicity is its greatest asset.

Damon Garn owns Cogspinner Coaction and provides freelance IT writing and editing services. He has written multiple CompTIA study guides, including the Linux+, Cloud Essentials+ and Server+ guides, and contributes extensively to Informa TechTarget, The New Stack and CompTIA blogs.