ARP Scan
TL;DR: ARP scan is a network discovery technique used to identify active devices on a local network by sending ARP requests and analyzing the responses.
What is ARP Scan?
ARP scan is a method of network scanning that uses the Address Resolution Protocol (ARP) to map IP addresses to MAC (hardware) addresses on a local area network (LAN). It's typically used by system administrators and network security professionals to quickly identify all live hosts connected to a subnet.
Unlike traditional ping sweeps that rely on ICMP (which can be blocked by firewalls), ARP scans work at Layer 2 of the OSI model, making them more reliable for local network discovery—even when hosts do not respond to pings.
How Does ARP Scan Work?
- Send ARP Requests:
The scanning tool sends ARP requests to all IP addresses in a target subnet (e.g., 192.168.1.1–254). - Wait for ARP Replies:
Devices that are online respond with their MAC addresses. - Record Results:
The scanner collects the IP-to-MAC mappings and optionally hostnames. - Display Active Hosts:
The output typically includes IP address, MAC address, and sometimes the vendor associated with the MAC prefix.
Types of ARP Scan (if applicable)
- Full Subnet Scan: Sends ARP requests to every IP in the range (most common).
- Targeted ARP Scan: Scans specific IPs or ranges (e.g.,
arp-scan 192.168.1.1-50). - Stealth ARP Scan: Uses lower frequency or randomized timing to avoid detection (less common, used in penetration testing).
How to Implement ARP Scan
- Install ARP Scan Tool:
Use tools likearp-scan(Linux),Netdiscover, or integrated features in Nmap.
- Run ARP Scan Command (Linux Example):
sudo arp-scan --interface=eth0 --localnet
- Or for a specific range:
sudo arp-scan 192.168.1.0/24
- Interpret Output:
Look for entries that list IP, MAC, and vendor details. Active devices will respond with their MAC addresses. - Use in Scripting:
Integrate ARP scans into network monitoring scripts for automation.
