ARP
The arp table is a local cache that maps IP addresses to MAC addresses in on the local subnet.
Example Commands
Show the arp table:
arp -aAdd entry
arp -s <ip-address> <mac-address>Delete Entry
arp -d <ip-address>ARP Scan
An arp scan can be done, even if you don’t have an ip address on a network. Often if you want to connect to a network manually, you can put the interface up, then do an arp-scan to determine which ip addresses are already in use. To find the range to scan, you could use wireshark or tcpdump to get ip addresses of devices on the network.
You can only use arp scan on your local network segment. If you are looking to identify hosts on a different network segment, you will have to use something like an nmap ping scan
Over a VPN
Arp is a layer 2 protocol. OpenVPN works on layer 3 meaning that you can’t normally run an ARP Scan over a VPN.
However, somehow it does work if you are running it in a VM and your host is connected to the VPN. You can also do it if you run it from a Docker container in Bridge mode. I am not sure how this works.
sudo docker run --net=bridge irasnyd/arpscan
sudo docker exec <container_id> /bin/bashThis image might not be the best. It is probably worth creating one for this purpose.
Examples
Scan the current local network:
arp-scan --localnet # samme as arp-scan -lScan the current local network on interface:
arp-scan -l -I eth0Scan an IP network with a custom bitmask:
arp-scan 192.168.1.1/24Scan an IP network within a custom range:
arp-scan 127.0.0.0-127.0.0.31Scan an IP network with a custom net mask:
arp-scan 10.0.0.0:255.255.255.0