289
297
is a useful tool to quickly determine all the active IP hosts
290
298
on a given Ethernet network segment.
300
Where an option takes a value, that value is specified as a letter in
301
angle brackets. The letter indicates the type of data that is expected:
304
A character string, e.g. \--file=hostlist.txt.
307
An integer, which can be specified as a decimal number or as a hexadecimal
308
number if preceded with 0x, e.g. \--arppro=2048 or \--arpro=0x0800.
311
A floating point decimal number, e.g. \--backoff=1.5.
314
An Ethernet MAC address, which can be specified either in the format
315
01:23:45:67:89:ab, or as 01-23-45-67-89-ab. The alphabetic hex characters
316
may be either upper or lower case. E.g. \--arpsha=01:23:45:67:89:ab.
319
An IPv4 address, e.g. \--arpspa=10.0.0.1
322
Binary data specified as a hexadecimal string, which should not
323
include a leading 0x. The alphabetic hex characters may be either
324
upper or lower case. E.g. \--padding=aaaaaaaaaaaa
327
Something else. See the description of the option for details.
294
330
Display this usage message and exit.
296
.B --file=<fn> or -f <fn>
332
.B \--file=<s> or \-f <s>
297
333
Read hostnames or addresses from the specified file
298
334
instead of from the command line. One name or IP
299
address per line. Use "-" for standard input.
335
address per line. Use "-" for standard input.
302
Generate addresses from network interface configuration
337
.B \--localnet or \-l
338
Generate addresses from network interface configuration.
303
339
Use the network interface IP address and network mask
304
340
to generate the list of target host addresses.
305
341
The list will include the network and broadcast
306
342
addresses, so an interface address of 10.0.0.1 with
307
343
netmask 255.255.255.0 would generate 256 target
308
344
hosts from 10.0.0.0 to 10.0.0.255 inclusive.
309
If you use this option, you cannot specify the --file
345
If you use this option, you cannot specify the \--file
310
346
option or specify any target hosts on the command line.
311
347
The interface specifications are taken from the
312
348
interface that arp-scan will use, which can be
313
changed with the --interface option.
315
.B --retry=<n> or -r <n>
316
Set total number of attempts per host to <n>,
319
.B --timeout=<n> or -t <n>
320
Set initial per host timeout to <n> ms, default=500.
349
changed with the \--interface option.
351
.B --retry=<i> or -r <i>
352
Set total number of attempts per host to <i>,
355
.B --timeout=<i> or -t <i>
356
Set initial per host timeout to <i> ms, default=100.
321
357
This timeout is for the first packet sent to each host.
322
358
subsequent timeouts are multiplied by the backoff
323
factor which is set with --backoff.
359
factor which is set with \--backoff.
325
.B --interval=<n> or -i <n>
326
Set minimum packet interval to <n> ms.
361
.B --interval=<x> or -i <x>
362
Set minimum packet interval to <x>.
327
363
This controls the outgoing bandwidth usage by limiting
328
the rate at which packets can be sent. The packet
364
the rate at which packets can be sent. The packet
329
365
interval will be no smaller than this number.
330
366
If you want to use up to a given bandwidth, then it is
331
easier to use the --bandwidth option instead.
367
easier to use the \--bandwidth option instead.
332
368
The interval specified is in milliseconds by default,
333
369
or in microseconds if "u" is appended to the value.
335
.B --bandwidth=<n> or -B <n>
336
Set desired outbound bandwidth to <n>, default=256000.
337
The value is in bits per second by default. If you
371
.B --bandwidth=<x> or -B <x>
372
Set desired outbound bandwidth to <x>, default=256000.
373
The value is in bits per second by default. If you
338
374
append "K" to the value, then the units are kilobits
339
375
per sec; and if you append "M" to the value, the
340
376
units are megabits per second.
341
377
The "K" and "M" suffixes represent the decimal, not
342
binary, multiples. So 64K is 64000, not 65536.
343
You cannot specify both --interval and --bandwidth
378
binary, multiples. So 64K is 64000, not 65536.
379
You cannot specify both \--interval and \--bandwidth
344
380
because they are just different ways to change the
381
same underlying parameter.
347
.B --backoff=<b> or -b <b>
348
Set timeout backoff factor to <b>, default=1.50.
383
.B --backoff=<f> or -b <f>
384
Set timeout backoff factor to <f>, default=1.50.
349
385
The per-host timeout is multiplied by this factor
350
after each timeout. So, if the number of retrys
386
after each timeout. So, if the number of retries
351
387
is 3, the initial per-host timeout is 500ms and the
352
388
backoff factor is 1.5, then the first timeout will be
353
389
500ms, the second 750ms and the third 1125ms.
366
411
Randomise the host list.
367
412
This option randomises the order of the hosts in the
368
413
host list, so the ARP packets are sent to the hosts in
369
a random order. It uses the Knuth shuffle algorithm.
414
a random order. It uses the Knuth shuffle algorithm.
371
416
.B --numeric or -N
372
417
IP addresses only, no hostnames.
373
418
With this option, all hosts must be specified as
374
IP addresses. Hostnames are not permitted.
419
IP addresses. Hostnames are not permitted. No DNS
420
lookups will be performed.
376
.B --snap=<s> or -n <s>
377
Set the pcap snap length to <s>. Default=64.
378
This specifies the frame capture length. This
422
.B --snap=<i> or -n <i>
423
Set the pcap snap length to <i>. Default=64.
424
This specifies the frame capture length. This
379
425
length includes the data-link header.
380
426
The default is normally sufficient.
382
.B --interface=<i> or -I <i>
383
Use network interface <i>.
384
If this option is not specified, the default is the
385
value of the RMIF environment variable. If RMIF is
386
not defined, then arp-scan will search the system
387
interface list for the lowest numbered, configured
388
up interface (excluding loopback).
428
.B --interface=<s> or -I <s>
429
Use network interface <s>.
430
If this option is not specified, arp-scan will search
431
the system interface list for the lowest numbered,
432
configured up interface (excluding loopback).
389
433
The interface specified must support ARP.
392
436
Only display minimal output.
393
437
If this option is specified, then only the minimum
394
information is displayed. With this option, the
395
OUI file is not used.
438
information is displayed. With this option, the
439
OUI files are not used.
397
.B --ignoredups or -g
441
.B \--ignoredups or \-g
398
442
Don't display duplicate packets.
399
By default, duplicate packets are displayed
400
and are flagged with "(DUP: n)".
402
.B --ouifile=<o> or -O <o>
403
Use OUI file <o>, default=/usr/local/share/arp-scan/ieee-oui.txt
404
This file provides the Ethernet OUI to vendor string
407
.B --iabfile=<i> or -F <i>
408
Use IAB file <i>, default=/usr/local/share/arp-scan/ieee-iab.txt
443
By default, duplicate packets are displayed and are
444
flagged with "(DUP: n)".
446
.B \--ouifile=<s> or \-O <s>
447
Use OUI file <s>, default=/usr/local/share/arp-scan/ieee-oui.txt
448
This file provides the IEEE Ethernet OUI to vendor
451
.B --iabfile=<s> or -F <s>
452
Use IAB file <s>, default=/usr/local/share/arp-scan/ieee-iab.txt
409
453
This file provides the IEEE Ethernet IAB to vendor
412
.B --macfile=<m> or -m <m>
413
Use MAC/Vendor file <m>, default=/usr/local/share/arp-scan/mac-vendor.txt
456
.B --macfile=<s> or -m <s>
457
Use MAC/Vendor file <s>, default=/usr/local/share/arp-scan/mac-vendor.txt
414
458
This file provides the custom Ethernet MAC to vendor
417
461
.B --srcaddr=<m> or -S <m>
418
462
Set the source Ethernet MAC address to <m>.
419
463
This sets the 48-bit hardware address in the Ethernet
420
frame header for outgoing ARP packets. It does not
464
frame header for outgoing ARP packets. It does not
421
465
change the hardware address in the ARP packet, see
422
--arpsha for details on how to change that address.
466
\--arpsha for details on how to change that address.
423
467
The default is the Ethernet address of the outgoing
450
490
The default is zero, because this field is not used
451
491
for ARP request packets.
453
.B --prototype=<p> or -y <p>
454
Set the Ethernet protocol type to <p>, default=0x0806.
493
.B --prototype=<i> or -y <i>
494
Set the Ethernet protocol type to <i>, default=0x0806.
455
495
This sets the 16-bit protocol type field in the
456
496
Ethernet frame header.
457
497
Setting this to a non-default value will result in the
458
packet being ignored by the target, or send to the
498
packet being ignored by the target, or sent to the
459
499
wrong protocol stack.
460
This option is probably not useful, and is only
461
present for completeness.
463
.B --arphrd=<o> or -H <o>
464
Use <o> for the ARP hardware type, default=1.
501
.B --arphrd=<i> or -H <i>
502
Use <i> for the ARP hardware type, default=1.
465
503
This sets the 16-bit ar$hrd field in the ARP packet.
466
The normal value is 1 (ARPHRD_ETHER). Most, but not
504
The normal value is 1 (ARPHRD_ETHER). Most, but not
467
505
all, operating systems will also respond to 6
468
506
(ARPHRD_IEEE802). A few systems respond to any value.
470
.B --arppro=<o> or -p <o>
471
Use <o> for the ARP protocol type, default=0x0800.
508
.B --arppro=<i> or -p <i>
509
Use <i> for the ARP protocol type, default=0x0800.
472
510
This sets the 16-bit ar$pro field in the ARP packet.
473
511
Most operating systems only respond to 0x0800 (IPv4)
474
512
but some will respond to other values as well.
476
.B --arphln=<l> or -a <l>
477
Set the hardware address length to <l>, default=6.
514
.B --arphln=<i> or -a <i>
515
Set the hardware address length to <i>, default=6.
478
516
This sets the 8-bit ar$hln field in the ARP packet.
479
517
It sets the claimed length of the hardware address
480
in the ARP packet. Setting it to any value other than
518
in the ARP packet. Setting it to any value other than
481
519
the default will make the packet non RFC compliant.
482
520
Some operating systems may still respond to it though.
483
521
Note that the actual lengths of the ar$sha and ar$tha
484
522
fields in the ARP packet are not changed by this
485
523
option; it only changes the ar$hln field.
487
.B --arppln=<l> or -P <l>
488
Set the protocol address length to <l>, default=4.
525
.B --arppln=<i> or -P <i>
526
Set the protocol address length to <i>, default=4.
489
527
This sets the 8-bit ar$pln field in the ARP packet.
490
528
It sets the claimed length of the protocol address
491
in the ARP packet. Setting it to any value other than
529
in the ARP packet. Setting it to any value other than
492
530
the default will make the packet non RFC compliant.
493
531
Some operating systems may still respond to it though.
494
532
Note that the actual lengths of the ar$spa and ar$tpa
495
533
fields in the ARP packet are not changed by this
496
534
option; it only changes the ar$pln field.
498
.B --arpop=<o> or -o <o>
499
Use <o> for the ARP operation, default=1.
536
.B --arpop=<i> or -o <i>
537
Use <i> for the ARP operation, default=1.
500
538
This sets the 16-bit ar$op field in the ARP packet.
501
539
Most operating systems will only respond to the value 1
502
540
(ARPOP_REQUEST). However, some systems will respond
503
541
to other values as well.
505
.B --arpspa=<s> or -s <s>
506
Use <s> as the source IP address.
543
.B --arpspa=<a> or -s <a>
544
Use <a> as the source IP address.
507
545
The address should be specified in dotted quad format;
508
or the string "dest", which sets the source address
509
to be the same as the target host address.
546
or the literal string "dest", which sets the source
547
address to be the same as the target host address.
510
548
This sets the 32-bit ar$spa field in the ARP packet.
511
549
Some operating systems check this, and will only
512
550
respond if the source address is within the network
513
of the receiving interface. Others don't care, and
551
of the receiving interface. Others don't care, and
514
552
will respond to any source address.
515
553
By default, the outgoing interface address is used.
555
WARNING: Setting ar$spa to the destination IP address
556
can disrupt some operating systems, as they assume
557
there is an IP address clash if they receive an ARP
558
request for their own address.
517
.B --padding=<p> or -A <p>
560
.B --padding=<h> or -A <h>
518
561
Specify padding after packet data.
519
Set the padding data to hex value <p>. This data is
562
Set the padding data to hex value <h>. This data is
520
563
appended to the end of the ARP packet, after the data.
521
564
Most, if not all, operating systems will ignore any
522
Padding. The default is no padding, although the
565
padding. The default is no padding, although the
523
566
Ethernet driver on the sending system may pad the
524
567
packet to the minimum Ethernet frame length.
570
Use RFC 1042 LLC framing with SNAP.
571
This option causes the outgoing ARP packets to use
572
IEEE 802.2 framing with a SNAP header as described
573
in RFC 1042. The default is to use Ethernet-II
575
arp-scan will decode and display received ARP packets
576
in either Ethernet-II or IEEE 802.2 formats
577
irrespective of this option.
579
.B --vlan=<i> or -Q <i>
580
Use 802.1Q tagging with VLAN id <i>.
581
This option causes the outgoing ARP packets to use
582
802.1Q VLAN tagging with a VLAN ID of <i>, which should
583
be in the range 0 to 4095 inclusive.
584
arp-scan will always decode and display received ARP
585
packets in 802.1Q format irrespective of this option.
587
.B --pcapsavefile=<s> or -W <s>
588
Write received packets to pcap savefile <s>.
589
This option causes received ARP responses to be written
590
to the specified pcap savefile as well as being decoded
591
and displayed. This savefile can be analysed with
592
programs that understand the pcap file format, such as
593
"tcpdump" and "wireshark".
527
596
.I /usr/local/share/arp-scan/ieee-oui.txt
528
List of IEEE OUI (Organizationally Unique Identifier) to vendor mappings.
597
List of IEEE OUI (Organisationally Unique Identifier) to vendor mappings.
530
599
.I /usr/local/share/arp-scan/ieee-iab.txt
531
600
List of IEEE IAB (Individual Address Block) to vendor mappings.