Find all hosts in your local network using this fast ARP scanner

The CLI is written in Rust and provides a minimal scanner that finds all hosts using the ARP protocol

ARP scanner CLI

. . Inspired by the awesome arp-scan project.

✔ Minimal Rust binary & fast ARP scans

✔ Scan customization (ARP, timings, interface, DNS, ...)

✔ MAC vendor search

✔ JSON & YAML exports

✔ Pre-defined scan profiles (default, fast, stealth & chaos)

Examples

Start by listing all network interfaces on the host.

# List all network interfaces
$ arp-scan -l

lo                   ✔ UP      00:00:00:00:00:00    127.0.0.1/8
enp3s0f0             ✔ UP      4f:6e:cd:78:bb:5a    
enp4s0               ✖ DOWN    d0:c5:e9:40:00:4a    
wlp1s0               ✔ UP      d2:71:d8:29:a8:72    192.168.1.21/24
docker0              ✔ UP      49:fd:cd:60:73:77    172.17.0.1/16
br-fa6dc54a91ee      ✔ UP      61:ab:c1:a7:50:79    172.18.0.1/16

Found 6 network interfaces, 5 seems up for ARP scan
Default network interface will be wlp1s0

Perform a default ARP scan on the local network with safe defaults.

# Perform a scan on the default network interface
$ arp-scan

Selected interface wlp1s0 with IP 192.168.1.21/24
Estimated scan time 2068ms (10752 bytes, 14000 bytes/s)
Sending 256 ARP requests (waiting at least 800ms, 0ms request interval)

| IPv4            | MAC               | Hostname     | Vendor       |
|-----------------|-------------------|--------------|--------------|
| 192.168.1.1     | 91:10:fb:30:06:04 | router.home  | Vendor, Inc. |
| 192.168.1.11    | 45:2e:99:bc:22:b6 | host-a.home  |              |
| 192.168.1.15    | bc:03:c2:92:47:df | host-b.home  | Vendor, Inc. |
| 192.168.1.18    | 8d:eb:56:17:b8:e1 | host-c.home  | Vendor, Inc. |
| 192.168.1.34    | 35:e0:6c:1e:e3:fe |              | Vendor, Inc. |

ARP scan finished, 5 hosts found in 1.623 seconds
7 packets received, 5 ARP packets filtered

Getting started

Download the arp-scan binary for Linux (Ubuntu, Fedora, Debian, ...). See the releases page for other binaries.

wget -O arp-scan https://github.com/Saluki/arp-scan-rs/releases/download/v0.10.0/arp-scan-v0.10.0-x86_64-unknown-linux-musl && chmod +x ./arp-scan

List all available network interfaces.

./arp-scan -l

Launch a scan on interface wlp1s0.

./arp-scan -i wlp1s0

Enhance the minimum scan timeout to 5 seconds (by default, 2 seconds).

./arp-scan -i wlp1s0 -t 5s

Perform an ARP scan on the default network interface, VLAN 45 and JSON output.

./arp-scan -Q 45 -o json

Options

Get help -h

Display the main help message with all commands and available ARP scan options.

List interfaces -l

List all available network interfaces. Using this option will only print a list of interfaces and exit the process.

Select scan profile -p stealth

A scan profile groups together a set of ARP scan options to perform a specific scan. The scan profiles are listed below:

  • default : default option, this is enabled if the -p option is not used
  • fast : fast ARP scans, the results may be less accurate
  • stealth : slower scans that minimize the network impact
  • chaos : randomly-selected values for the ARP scan

Select interface -i eth0

Perform a scan on the network interface eth0. The first valid IPv4 network on this interface will be used as scan target. By default, the first network interface with an up status and a valid IPv4 will be selected.

Set global scan timeout -t 15s

Enforce a timeout of at least 15 seconds. This timeout is a minimum value (scans may take a little more time). Default value is 2000ms.

Change ARP request interval -I 30ms

By default, a 10ms gap will be set between ARP requests to avoid an ARP storm on the network. This value can be changed to reduce or increase the milliseconds between each ARP request.

Numeric mode -n

Switch to numeric mode. This will skip the local hostname resolution process and will only display IP addresses.

Host retry count -r 3

Send 3 ARP requests to the targets (retry count). By default, a single ARP request will be sent to each host.

Change source IPv4 -S 192.168.1.130

Change or force the IPv4 address sent as source in the broadcasted ARP packets. By default, a valid IPv4 address on the network interface will be used. This option may be useful for isolated hosts and security checks.

Change destination MAC -M 55:44:33:22:11:00

Change or force the MAC address sent as destination ARP request. By default, a broadcast destination (00:00:00:00:00:00) will be set.

Change source MAC -M 11:24:71:29:21:76

Change or force the MAC address sent as source in the ARP request. By default, the network interface MAC will be used.

Randomize target list -R

Randomize the IPv4 target list before sending ARP requests. By default, all ARP requests are sent in ascending order by IPv4 address.

Use custom MAC OUI file --oui-file ./my-file.csv

Use a custom OUI MAC file, the default path will be set to /usr/share/arp-scan/ieee-oui.csv".

Set VLAN ID -Q 42

Add a 802.1Q field in the Ethernet frame. This fields contains the given VLAN ID for outgoing ARP requests. By default, the Ethernet frame is sent without 802.1Q fields (no VLAN).

Customize ARP operation ID --arp-op 1

Change the ARP protocol operation field, this can cause scan failure.

Customize ARP hardware type --hw-type 1

Change the ARP hardware type field, this can cause scan failure.

Customize ARP hardware address length --hw-addr 6

Change the ARP hardware address length field, this can cause scan failure.

Customize ARP protocol type --proto-type 2048

Change the ARP protocol type field, this can cause scan failure.

Customize ARP protocol adress length --proto-addr 4

Change the ARP protocol address length field, this can cause scan failure.

Set output format -o json

Set the output format to either plain (a full-text output with tables), json or yaml.

Show version --version

Display the ARP scan CLI version and exits the process.

Roadmap & features

The features below will be shipped in the next releases of the project.

  • Make ARP scans faster
    • with a per-host retry approach
    • by closing the response thread faster - released in 0.8.0
  • Scan profiles (standard, attacker, light, ...) - released in 0.10.0
  • Complete VLAN support
  • Exports (JSON & YAML) - released in 0.7.0
  • Full ARP packet customization (Ethernet protocol, ARP operation, ...) - released in 0.10.0
  • Time estimations & bandwidth - released in 0.10.0
  • MAC vendor lookup in the results - released in 0.9.0
  • Fine-grained scan timings (interval) - released in 0.8.0
  • Wide network range support & partial results on SIGINT
  • Read network targets from file
  • Adding advanced packet options (padding, LLC, ...)
  • Enable bandwith control (exclusive with interval)
  • Stronger profile defaults (chaos & stealth)

Contributing

Feel free to suggest an improvement, report a bug, or ask something: https://github.com/saluki/arp-scan-rs/issues

Versions

Find the latest versions by id

v0.13.0 - Dec 10, 2021

New features

  • Support wide network ranges to scan without exhausting memory

Fixes & small improvements

  • Moving to Rust edition 2021
  • Better OUI documentation
  • Reduce pause time after a CTRL+C interruption

v0.12.0 - Nov 08, 2021

New features

  • Export scan results to CSV with -o csv
  • New scan bandwidth control --bandwidth 1000
  • Provide network targets with -n 192.168.1.1,192.168.2.0/24
  • Read network targets form a file -f targets.txt

Fixes & small improvements

  • Enhanced CLI display for empty scan results & partial scans
  • Estimated scan time is now human-friendly (12m)

v0.11.0 - Sep 22, 2021

New features

  • Allow partial scans using CTRL+C interruptions
  • CLI results table is now responsive (no text overflows)

Fixes & small improvements

  • Color usage for network interface listing
  • Fixing network interface listing bug (using "ready" and not "up")

v0.10.0 - Jun 20, 2021

New features

  • Customize ARP packet details (hardware field, address length, ..)
  • Profile types with scan configuration presets (stealth, fast, random, ...)
  • Scan estimations (bytes sent & estimated duration)

Fixes & small improvements

  • Fixing bugs in the time parser

v0.9.0 - Jun 12, 2021

New features

  • MAC vendor search process (find each vendor associated with an address)
  • Use a custom OUI CSV file path with --oui-file
  • Allow human-friendly time units as arguments (2000ms, 5s or 1h)

Fixes & small improvements

  • Code cleaning with clippy findings
  • Enhanced space in the result table

v0.8.0 - May 30, 2021

New features

  • Specify milliseconds interval between requests with the --interval option
  • Improved timings, scans will not be blocked if no packets are received

Fixes & small improvements

  • The timeout duration is now only triggered after the last ARP request

v0.7.0 - May 27, 2021

New features

  • JSON output format
  • YAML output format

Fixes & small improvements

  • Security fix on the serde_yaml crate

v0.6.0 - May 24, 2021

New features

  • Randomize the target list with --random option
  • New glibc build available (only musl before)
  • Send multiple ARP requests with the retry count option
  • Scan summary (timing, packet analytics & host count)

v0.5.0 - May 21, 2021

New features

  • Network interface auto-discovery
  • VLAN tagging for outgoing ARP requests

v0.4.0 - May 19, 2021

New features

  • Force ARP request source IPv4 (scan option)
  • Force ARP request destination MAC address (scan option)
  • Reduced global scan timeout to 2 seconds

v0.3.0 - May 17, 2021

New features

  • List network interface
  • Local hostname resolution
  • Numeric mode (no DNS resolve)

Fixes & small improvements

  • Improved result display (IP network count)
  • Scan timeout limit (5 hours)

v0.2.0 - May 12, 2021

v0.1.0 - May 06, 2021

Information - Updated Mar 24, 2022

Stars: 12
Forks: 4
Issues: 0

sodiumoxide type safe rust binding for high level cryptographic tools

The latest high speed encrypted network communication rust binding

sodiumoxide type safe rust binding for high level cryptographic tools

netsim - A Rust library for network simulation and testing (currently linux-only)

netsim is a crate for simulating networks for the sake of testing network-oriented Rust

netsim - A Rust library for network simulation and testing (currently linux-only)

A high-level API to control headless Chrome or Chromium over the DevTools Protocol

Rust equivalent of network request interception

A high-level API to control headless Chrome or Chromium over the DevTools Protocol

P2P Rollback Networking in Rust

GGRS (good game rollback system) is a reimagination of the Rust 🦀

P2P Rollback Networking in Rust

Rusticata is a test crate for network protocol parsers written in Rust

It was written to show to feasibility of the implementation of safe and efficient parsers

Rusticata is a test crate for network protocol parsers written in Rust

The implementation of privacy p2p network protocol in Rust

WhiteNoise is an overlay privacy network protocol

The implementation of privacy p2p network protocol in Rust

A simple, network enabled karaoke player in Rust

Your karaoke collection can be browsed and queued from a self served website and played either natively on your computer, or remotely through any browser

A simple, network enabled karaoke player in Rust

Cardano Rust Ouroboros Network

This crate implements the networking layer for the Ouroboros blockchain protocol

Cardano Rust Ouroboros Network

This crate implements feedforward-neural Networks in rust

A basix XOR training example might look like this:

This crate implements feedforward-neural Networks in rust

witnet-rust is an open source implementation of the Witnet Decentralized Oracle Network protocol written in...

witnet-rust is an open source implementation of the Witnet Decentralized Oracle Network protocol written in Rust

witnet-rust is an open source implementation of the Witnet Decentralized Oracle Network protocol written in...

Painless peer-to-peer WebRTC networking for rust wasm applications

The goal of the Matchbox project is to enable udp-like, unordered, unreliable

Painless peer-to-peer WebRTC networking for rust wasm applications
Facebook Instagram Twitter GitHub Dribbble
Privacy