macOSでarp-scanコマンドを使ってRaspberry Piのipを調べる
Linuxではデフォルトでインストールされているarp-scanコマンド。
macOSで利用する場合は、Homebrewでインストールしましょう。
brew install arp-scan
インストールできました。
ラズパイにsshする時に必要になるipアドレスを調べてみましょう。
sudo arp-scan -l
Password:
Interface: en0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9.5 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.100.1 00:a0:de:6a:ac:51 YAMAHA CORPORATION
192.168.100.2 f0:99:bf:04:35:98 Apple, Inc.
192.168.100.3 f0:99:bf:04:35:98 Apple, Inc.
192.168.100.4 00:b3:62:dc:f9:91 (Unknown)
192.168.100.20 00:22:cf:fa:57:b3 PLANEX COMMUNICATIONS INC.
192.168.100.6 dc:ef:ca:89:91:d6 (Unknown)
192.168.100.9 d8:00:4d:ee:5c:7d Apple, Inc.
192.168.100.12 60:f8:1d:be:e2:ac Apple, Inc.
192.168.100.15 78:88:6d:c3:86:58 (Unknown)
518 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.5: 256 hosts scanned in 1.851 seconds (138.30 hosts/sec). 10 responded
ラズパイにはPLANEXの無線LAN子機をつけているので、今回の場合は192.168.100.20になります。
ssh [email protected]
arp-scan便利ですね。
しかし、Apple製品多いな…
manをはっておこう…
man arp-scan
ARP-SCAN(1) ARP-SCAN(1)
NNAAMMEE
arp-scan - The ARP scanner
SSYYNNOOPPSSIISS
aarrpp--ssccaann [_o_p_t_i_o_n_s] [_h_o_s_t_s...]
Target hosts must be specified on the command line unless the ----ffiillee
option is given, in which case the targets are read from the specified
file instead, or the ----llooccaallnneett option is used, in which case the tar-
gets are generated from the network interface IP address and netmask.
You will need to be root, or aarrpp--ssccaann must be SUID root, in order to
run aarrpp--ssccaann, because the functions that it uses to read and write
packets require root privilege.
The target hosts can be specified as IP addresses or hostnames. You
can also specify the target as IIPPnneettwwoorrkk//bbiittss (e.g. 192.168.1.0/24) to
specify all hosts in the given network (network and broadcast addresses
included), IIPPssttaarrtt--IIPPeenndd (e.g. 192.168.1.3-192.168.1.27) to specify all
hosts in the inclusive range, or IIPPnneettwwoorrkk::NNeettMMaasskk (e.g.
192.168.1.0:255.255.255.0) to specify all hosts in the given network
and mask.
DDEESSCCRRIIPPTTIIOONN
aarrpp--ssccaann sends ARP packets to hosts on the local network and displays
any responses that are received. The network interface to use can be
specified with the ----iinntteerrffaaccee option. If this option is not present,
aarrpp--ssccaann will search the system interface list for the lowest numbered,
configured up interface (excluding loopback). By default, the ARP
packets are sent to the Ethernet broadcast address, ff:ff:ff:ff:ff:ff,
but that can be changed with the ----ddeessttaaddddrr option.
The target hosts to scan may be specified in one of three ways: by
specifying the targets on the command line; by specifying a file con-
taining the targets with the ----ffiillee option; or by specifying the
----llooccaallnneett option which causes all possible hosts on the network
attached to the interface (as defined by the interface address and
mask) to be scanned. For hosts specified on the command line, or with
the ----ffiillee option, you can use either IP addresses or hostnames. You
can also use network specifications IIPPnneettwwoorrkk//bbiittss, IIPPssttaarrtt--IIPPeenndd, or
IIPPnneettwwoorrkk::NNeettMMaasskk.
The list of target hosts is stored in memory. Each host in this list
uses 28 bytes of memory, so scanning a Class-B network (65,536 hosts)
requires about 1.75MB of memory for the list, and scanning a Class-A
(16,777,216 hosts) requires about 448MB.
aarrpp--ssccaann supports Ethernet and 802.11 wireless networks. It could also
support token ring and FDDI, but they have not been tested. It does not
support serial links such as PPP or SLIP, because ARP is not supported
on them.
The ARP protocol is a layer-2 (datalink layer) protocol that is used to
determine a host's layer-2 address given its layer-3 (network layer)
address. ARP was designed to work with any layer-2 and layer-3 address
format, but the most common use is to map IP addresses to Ethernet
hardware addresses, and this is what aarrpp--ssccaann supports. ARP only oper-
ates on the local network, and cannot be routed. Although the ARP pro-
tocol makes use of IP addresses, it is not an IP-based protocol and
aarrpp--ssccaann can be used on an interface that is not configured for IP.
ARP is only used by IPv4 hosts. IPv6 uses NDP (neighbour discovery pro-
tocol) instead, which is a different protocol and is not supported by
aarrpp--ssccaann.
One ARP packet is sent for each for each target host, with the target
protocol address (the ar$tpa field) set to the IP address of this host.
If a host does not respond, then the ARP packet will be re-sent once
more. The maximum number of retries can be changed with the ----rreettrryy
option. Reducing the number of retries will reduce the scanning time
at the possible risk of missing some results due to packet loss.
You can specify the bandwidth that aarrpp--ssccaann will use for the outgoing
ARP packets with the ----bbaannddwwiiddtthh option. By default, it uses a band-
width of 256000 bits per second. Increasing the bandwidth will reduce
the scanning time, but setting the bandwidth too high may result in an
ARP storm which can disrupt network operation. Also, setting the band-
width too high can send packets faster than the network interface can
transmit them, which will eventually fill the kernel's transmit buffer
resulting in the error message: _N_o _b_u_f_f_e_r _s_p_a_c_e _a_v_a_i_l_a_b_l_e. Another way
to specify the outgoing ARP packet rate is with the ----iinntteerrvvaall option,
which is an alternative way to modify the same underlying parameter.
The time taken to perform a single-pass scan (i.e. with ----rreettrryy==11) is
given by:
time = n*i + t + o
Where _n is the number of hosts in the list, _i is the time interval
between packets (specified with ----iinntteerrvvaall, or calculated from ----bbaanndd--
wwiiddtthh), _t is the timeout value (specified with ----ttiimmeeoouutt) and _o is the
overhead time taken to load the targets into the list and read the
MAC/Vendor mapping files. For small lists of hosts, the timeout value
will dominate, but for large lists the packet interval is the most
important value.
With 65,536 hosts, the default bandwidth of 256,000 bits/second (which
results in a packet interval of 2ms), the default timeout of 500ms, and
a single pass ( ----rreettrryy==11), and assuming an overhead of 1 second, the
scan would take 65536*0.002 + 0.5 + 1 = 132.57 seconds, or about 2 min-
utes 13 seconds.
Any part of the outgoing ARP packet may be modified through the use of
the various ----aarrppXXXXXX options. The use of some of these options may
make the outgoing ARP packet non RFC compliant. Different operating
systems handle the various non standard ARP packets in different ways,
and this may be used to fingerprint these systems. See aarrpp--ffiinnggeerr--
pprriinntt(1) for information about a script which uses these options to
fingerprint the target operating system.
The table below summarises the options that change the outgoing ARP
packet. In this table, the _F_i_e_l_d column gives the ARP packet field name
from RFC 826, _B_i_t_s specifies the number of bits in the field, _O_p_t_i_o_n
shows the aarrpp--ssccaann option to modify this field, and _N_o_t_e_s gives the
default value and any other notes.
+---------------------------------------------------------------+
| OOuuttggooiinngg AARRPP PPaacckkeett OOppttiioonnss |
+-------+------+----------+-------------------------------------+
|FFiieelldd | BBiittss | OOppttiioonn | NNootteess |
+-------+------+----------+-------------------------------------+
|ar$hrd | 16 | --arphrd | Default is 1 (ARPHRD_ETHER) |
|ar$pro | 16 | --arppro | Default is 0x0800 |
|ar$hln | 8 | --arphln | Default is 6 (ETH_ALEN) |
|ar$pln | 8 | --arppln | Default is 4 (IPv4) |
|ar$op | 16 | --arpop | Default is 1 (ARPOP_REQUEST) |
|ar$sha | 48 | --arpsha | Default is interface h/w address |
|ar$spa | 32 | --arpspa | Default is interface IP address |
|ar$tha | 48 | --arptha | Default is zero (00:00:00:00:00:00) |
|ar$tpa | 32 | None | Set to the target host IP address |
+-------+------+----------+-------------------------------------+
The most commonly used outgoing ARP packet option is ----aarrppssppaa, which
sets the source IP address in the ARP packet. This option allows the
outgoing ARP packet to use a different source IP address from the out-
going interface address. With this option it is possible to use aarrpp--
ssccaann on an interface with no IP address configured, which can be useful
if you want to ensure that the testing host does not interact with the
network being tested.
WWaarrnniinngg:: SSeettttiinngg aarr$$ssppaa ttoo tthhee ddeessttiinnaattiioonn IIPP aaddddrreessss ccaann ddiissrruupptt ssoommee
ooppeerraattiinngg ssyysstteemmss,, aass tthheeyy aassssuummee tthheerree iiss aann IIPP aaddddrreessss ccllaasshh iiff tthheeyy
rreecceeiivvee aann AARRPP rreeqquueesstt ffoorr tthheeiirr oowwnn aaddddrreessss..
It is also possible to change the values in the Ethernet frame header
that precedes the ARP packet in the outgoing packets. The table below
summarises the options that change values in the Ethernet frame header.
+-------------------------------------------------------------------+
| OOuuttggooiinngg EEtthheerrnneett FFrraammee OOppttiioonnss |
+---------------+------+-------------+------------------------------+
|FFiieelldd | BBiittss | OOppttiioonn | NNootteess |
+---------------+------+-------------+------------------------------+
|Dest Address | 48 | --destaddr | Default is ff:ff:ff:ff:ff:ff |
|Source Address | 48 | --srcaddr | Default is interface address |
|Protocol Type | 16 | --prototype | Default is 0x0806 |
+---------------+------+-------------+------------------------------+
The most commonly used outgoing Ethernet frame option is ----ddeessttaaddddrr,
which sets the destination Ethernet address for the ARP packet. ----pprroo--
ttoottyyppee is not often used, because it will cause the packet to be inter-
preted as a different Ethernet protocol.
Any ARP responses that are received are displayed in the following for-
mat:
<IP Address> <Hardware Address> <Vendor Details>
Where IIPP AAddddrreessss is the IP address of the responding target, HHaarrddwwaarree
AAddddrreessss is its Ethernet hardware address (also known as the MAC
address) and VVeennddoorr DDeettaaiillss are the vendor details, decoded from the
hardware address. The output fields are separated by a single tab
character.
The responses are displayed in the order they are received, which is
not always the same order as the requests were sent because some hosts
may respond faster than others.
The vendor decoding uses the files _i_e_e_e_-_o_u_i_._t_x_t, _i_e_e_e_-_i_a_b_._t_x_t and _m_a_c_-
_v_e_n_d_o_r_._t_x_t, which are supplied with aarrpp--ssccaann. The _i_e_e_e_-_o_u_i_._t_x_t and
_i_e_e_e_-_i_a_b_._t_x_t files are generated from the OUI and IAB data on the IEEE
website at _h_t_t_p_:_/_/_s_t_a_n_d_a_r_d_s_-_o_u_i_._i_e_e_e_._o_r_g_/_o_u_i_/_o_u_i_._t_x_t and _h_t_t_p_:_/_/_s_t_a_n_-
_d_a_r_d_s_._i_e_e_e_._o_r_g_/_r_e_g_a_u_t_h_/_o_u_i_/_i_a_b_._t_x_t. The Perl scripts ggeett--oouuii and ggeett--
iiaabb, which are included in the aarrpp--ssccaann package, can be used to update
these files with the latest data from the IEEE website. The _m_a_c_-_v_e_n_-
_d_o_r_._t_x_t file contains other MAC to Vendor mappings that are not covered
by the IEEE OUI and IAB files, and can be used to add custom mappings.
Almost all hosts that support IP will respond to aarrpp--ssccaann if they
receive an ARP packet with the target protocol address (ar$tpa) set to
their IP address. This includes firewalls and other hosts with IP fil-
tering that drop all IP traffic from the testing system. For this rea-
son, aarrpp--ssccaann is a useful tool to quickly determine all the active IP
hosts on a given Ethernet network segment.
OOPPTTIIOONNSS
Where an option takes a value, that value is specified as a letter in
angle brackets. The letter indicates the type of data that is expected:
<<ss>> A character string, e.g. --file=hostlist.txt.
<<ii>> An integer, which can be specified as a decimal number or as a
hexadecimal number if preceeded with 0x, e.g. --arppro=2048 or
--arpro=0x0800.
<<ff>> A floating point decimal number, e.g. --backoff=1.5.
<<mm>> An Ethernet MAC address, which can be specified either in the
format 01:23:45:67:89:ab, or as 01-23-45-67-89-ab. The alpha-
betic hex characters may be either upper or lower case. E.g.
--arpsha=01:23:45:67:89:ab.
<<aa>> An IPv4 address, e.g. --arpspa=10.0.0.1
<<hh>> Binary data specified as a hexadecimal string, which should not
include a leading 0x. The alphabetic hex characters may be
either upper or lower case. E.g. --padding=aaaaaaaaaaaa
<<xx>> Something else. See the description of the option for details.
----hheellpp oorr --hh
Display this usage message and exit.
----ffiillee==<<ss>> oorr --ff <<ss>>
Read hostnames or addresses from the specified file instead of
from the command line. One name or IP address per line. Use "-"
for standard input.
----llooccaallnneett oorr --ll
Generate addresses from network interface configuration. Use
the network interface IP address and network mask to generate
the list of target host addresses. The list will include the
network and broadcast addresses, so an interface address of
10.0.0.1 with netmask 255.255.255.0 would generate 256 target
hosts from 10.0.0.0 to 10.0.0.255 inclusive. If you use this
option, you cannot specify the --file option or specify any tar-
get hosts on the command line. The interface specifications are
taken from the interface that arp-scan will use, which can be
changed with the --interface option.
----rreettrryy==<<ii>> oorr --rr <<ii>>
Set total number of attempts per host to <i>, default=2.
----ttiimmeeoouutt==<<ii>> oorr --tt <<ii>>
Set initial per host timeout to <i> ms, default=500. This time-
out is for the first packet sent to each host. subsequent time-
outs are multiplied by the backoff factor which is set with
--backoff.
----iinntteerrvvaall==<<xx>> oorr --ii <<xx>>
Set minimum packet interval to <x>. This controls the outgoing
bandwidth usage by limiting the rate at which packets can be
sent. The packet interval will be no smaller than this number.
If you want to use up to a given bandwidth, then it is easier to
use the --bandwidth option instead. The interval specified is
in milliseconds by default, or in microseconds if "u" is
appended to the value.
----bbaannddwwiiddtthh==<<xx>> oorr --BB <<xx>>
Set desired outbound bandwidth to <x>, default=256000. The
value is in bits per second by default. If you append "K" to the
value, then the units are kilobits per sec; and if you append
"M" to the value, the units are megabits per second. The "K"
and "M" suffixes represent the decimal, not binary, multiples.
So 64K is 64000, not 65536. You cannot specify both --interval
and --bandwidth because they are just different ways to change
the same underlying parameter.
----bbaacckkooffff==<<ff>> oorr --bb <<ff>>
Set timeout backoff factor to <f>, default=1.50. The per-host
timeout is multiplied by this factor after each timeout. So, if
the number of retries is 3, the initial per-host timeout is
500ms and the backoff factor is 1.5, then the first timeout will
be 500ms, the second 750ms and the third 1125ms.
----vveerrbboossee oorr --vv
Display verbose progress messages. Use more than once for
greater effect:
1 - Display the network address and mask used when the --local-
net option is specified, display any nonzero packet padding,
display packets received from unknown hosts, and show when each
pass through the list completes.
2 - Show each packet sent and received, when entries are removed
from the list, the pcap filter string, and counts of MAC/Vendor
mapping entries.
3 - Display the host list before scanning starts.
----vveerrssiioonn oorr --VV
Display program version and exit.
----rraannddoomm oorr --RR
Randomise the host list. This option randomises the order of
the hosts in the host list, so the ARP packets are sent to the
hosts in a random order. It uses the Knuth shuffle algorithm.
----rraannddoommsseeeedd==<<ii>>
Use <i> to seed the pseudo random number generator. This option
seeds the PRNG with the specified number, which can be useful if
you want to ensure that the random host list is reproducable. By
default, the PRNG is seeded with an unpredictable value. This
option is only effective in conjunction with the --random (-R)
option.
----nnuummeerriicc oorr --NN
IP addresses only, no hostnames. With this option, all hosts
must be specified as IP addresses. Hostnames are not permitted.
No DNS lookups will be performed.
----ssnnaapp==<<ii>> oorr --nn <<ii>>
Set the pcap snap length to <i>. Default=64. This specifies the
frame capture length. This length includes the data-link header.
The default is normally sufficient.
----iinntteerrffaaccee==<<ss>> oorr --II <<ss>>
Use network interface <s>. If this option is not specified,
arp-scan will search the system interface list for the lowest
numbered, configured up interface (excluding loopback). The
interface specified must support ARP.
----qquuiieett oorr --qq
Only display minimal output. No protocol decoding. If this
option is specified, then only the IP address and MAC address
are displayed for each responding host. No protocol decoding is
performed and the OUI mapping files are not used.
----ppllaaiinn oorr --xx
Display plain output showing only responding hosts. This option
supresses the printing of the header and footer text, and only
displays one line for each responding host. Useful if the output
will be parsed by a script.
----iiggnnoorreedduuppss oorr --gg
Don't display duplicate packets. By default, duplicate packets
are displayed and are flagged with "(DUP: n)".
----oouuiiffiillee==<<ss>> oorr --OO <<ss>>
Use IEEE Ethernet OUI to vendor mapping file <s>. If this
option is not specified, the default filename is ieee-oui.txt in
the current directory. If that is not found, then the file
/usr/local/share/arp-scan/ieee-oui.txt is used.
----iiaabbffiillee==<<ss>> oorr --OO <<ss>>
Use IEEE Ethernet IAB to vendor mapping file <s>. If this
option is not specified, the default filename is ieee-iab.txt in
the current directory. If that is not found, then the file
/usr/local/share/arp-scan/ieee-iab.txt is used.
----mmaaccffiillee==<<ss>> oorr --OO <<ss>>
Use custom Ethernet MAC to vendor mapping file <s>. If this
option is not specified, the default filename is mac-vendor.txt
in the current directory. If that is not found, then the file
/usr/local/share/arp-scan/mac-vendor.txt is used.
----ssrrccaaddddrr==<<mm>> oorr --SS <<mm>>
Set the source Ethernet MAC address to <m>. This sets the
48-bit hardware address in the Ethernet frame header for outgo-
ing ARP packets. It does not change the hardware address in the
ARP packet, see --arpsha for details on how to change that
address. The default is the Ethernet address of the outgoing
interface.
----ddeessttaaddddrr==<<mm>> oorr --TT <<mm>>
Send the packets to Ethernet MAC address <m> This sets the
48-bit destination address in the Ethernet frame header. The
default is the broadcast address ff:ff:ff:ff:ff:ff. Most oper-
ating systems will also respond if the ARP request is sent to
their MAC address, or to a multicast address that they are lis-
tening on.
----aarrppsshhaa==<<mm>> oorr --uu <<mm>>
Use <m> as the ARP source Ethernet address This sets the 48-bit
ar$sha field in the ARP packet It does not change the hardware
address in the frame header, see --srcaddr for details on how to
change that address. The default is the Ethernet address of the
outgoing interface.
----aarrpptthhaa==<<mm>> oorr --ww <<mm>>
Use <m> as the ARP target Ethernet address This sets the 48-bit
ar$tha field in the ARP packet The default is zero, because this
field is not used for ARP request packets.
----pprroottoottyyppee==<<ii>> oorr --yy <<ii>>
Set the Ethernet protocol type to <i>, default=0x0806. This
sets the 16-bit protocol type field in the Ethernet frame
header. Setting this to a non-default value will result in the
packet being ignored by the target, or sent to the wrong proto-
col stack.
----aarrpphhrrdd==<<ii>> oorr --HH <<ii>>
Use <i> for the ARP hardware type, default=1. This sets the
16-bit ar$hrd field in the ARP packet. The normal value is 1
(ARPHRD_ETHER). Most, but not all, operating systems will also
respond to 6 (ARPHRD_IEEE802). A few systems respond to any
value.
----aarrpppprroo==<<ii>> oorr --pp <<ii>>
Use <i> for the ARP protocol type, default=0x0800. This sets
the 16-bit ar$pro field in the ARP packet. Most operating sys-
tems only respond to 0x0800 (IPv4) but some will respond to
other values as well.
----aarrpphhllnn==<<ii>> oorr --aa <<ii>>
Set the hardware address length to <i>, default=6. This sets
the 8-bit ar$hln field in the ARP packet. It sets the claimed
length of the hardware address in the ARP packet. Setting it to
any value other than the default will make the packet non RFC
compliant. Some operating systems may still respond to it
though. Note that the actual lengths of the ar$sha and ar$tha
fields in the ARP packet are not changed by this option; it only
changes the ar$hln field.
----aarrppppllnn==<<ii>> oorr --PP <<ii>>
Set the protocol address length to <i>, default=4. This sets
the 8-bit ar$pln field in the ARP packet. It sets the claimed
length of the protocol address in the ARP packet. Setting it to
any value other than the default will make the packet non RFC
compliant. Some operating systems may still respond to it
though. Note that the actual lengths of the ar$spa and ar$tpa
fields in the ARP packet are not changed by this option; it only
changes the ar$pln field.
----aarrppoopp==<<ii>> oorr --oo <<ii>>
Use <i> for the ARP operation, default=1. This sets the 16-bit
ar$op field in the ARP packet. Most operating systems will only
respond to the value 1 (ARPOP_REQUEST). However, some systems
will respond to other values as well.
----aarrppssppaa==<<aa>> oorr --ss <<aa>>
Use <a> as the source IP address. The address should be speci-
fied in dotted quad format; or the literal string "dest", which
sets the source address to be the same as the target host
address. This sets the 32-bit ar$spa field in the ARP packet.
Some operating systems check this, and will only respond if the
source address is within the network of the receiving interface.
Others don't care, and will respond to any source address. By
default, the outgoing interface address is used.
WARNING: Setting ar$spa to the destination IP address can dis-
rupt some operating systems, as they assume there is an IP
address clash if they receive an ARP request for their own
address.
----ppaaddddiinngg==<<hh>> oorr --AA <<hh>>
Specify padding after packet data. Set the padding data to hex
value <h>. This data is appended to the end of the ARP packet,
after the data. Most, if not all, operating systems will ignore
any padding. The default is no padding, although the Ethernet
driver on the sending system may pad the packet to the minimum
Ethernet frame length.
----llllcc oorr --LL
Use RFC 1042 LLC framing with SNAP. This option causes the out-
going ARP packets to use IEEE 802.2 framing with a SNAP header
as described in RFC 1042. The default is to use Ethernet-II
framing. arp-scan will decode and display received ARP packets
in either Ethernet-II or IEEE 802.2 formats irrespective of this
option.
----vvllaann==<<ii>> oorr --QQ <<ii>>
Use 802.1Q tagging with VLAN id <i>. This option causes the
outgoing ARP packets to use 802.1Q VLAN tagging with a VLAN ID
of <i>, which should be in the range 0 to 4095 inclusive. arp-
scan will always decode and display received ARP packets in
802.1Q format irrespective of this option.
----ppccaappssaavveeffiillee==<<ss>> oorr --WW <<ss>>
Write received packets to pcap savefile <s>. This option causes
received ARP responses to be written to the specified pcap save-
file as well as being decoded and displayed. This savefile can
be analysed with programs that understand the pcap file format,
such as "tcpdump" and "wireshark".
----rrtttt oorr --DD
Display the packet round-trip time.
FFIILLEESS
_/_u_s_r_/_l_o_c_a_l_/_s_h_a_r_e_/_a_r_p_-_s_c_a_n_/_i_e_e_e_-_o_u_i_._t_x_t
List of IEEE OUI (Organisationally Unique Identifier) to vendor
mappings.
_/_u_s_r_/_l_o_c_a_l_/_s_h_a_r_e_/_a_r_p_-_s_c_a_n_/_i_e_e_e_-_i_a_b_._t_x_t
List of IEEE IAB (Individual Address Block) to vendor mappings.
_/_u_s_r_/_l_o_c_a_l_/_s_h_a_r_e_/_a_r_p_-_s_c_a_n_/_m_a_c_-_v_e_n_d_o_r_._t_x_t
List of other Ethernet MAC to vendor mappings.
EEXXAAMMPPLLEESS
The example below shows aarrpp--ssccaann being used to scan the network
_1_9_2_._1_6_8_._0_._0_/_2_4 using the network interface _e_t_h_0.
$ arp-scan --interface=eth0 192.168.0.0/24
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.4 with 256 hosts (http://www.nta-monitor.com/tools-resources/security-tools/arp-scan/)
192.168.0.1 00:c0:9f:09:b8:db QUANTA COMPUTER, INC.
192.168.0.3 00:02:b3:bb:66:98 Intel Corporation
192.168.0.5 00:02:a5:90:c3:e6 Compaq Computer Corporation
192.168.0.6 00:c0:9f:0b:91:d1 QUANTA COMPUTER, INC.
192.168.0.12 00:02:b3:46:0d:4c Intel Corporation
192.168.0.13 00:02:a5:de:c2:17 Compaq Computer Corporation
192.168.0.87 00:0b:db:b2:fa:60 Dell ESG PCBA Test
192.168.0.90 00:02:b3:06:d7:9b Intel Corporation
192.168.0.105 00:13:72:09:ad:76 Dell Inc.
192.168.0.153 00:10:db:26:4d:52 Juniper Networks, Inc.
192.168.0.191 00:01:e6:57:8b:68 Hewlett-Packard Company
192.168.0.251 00:04:27:6a:5d:a1 Cisco Systems, Inc.
192.168.0.196 00:30:c1:5e:58:7d HEWLETT-PACKARD
13 packets received by filter, 0 packets dropped by kernel
Ending arp-scan: 256 hosts scanned in 3.386 seconds (75.61 hosts/sec). 13 responded
This next example shows aarrpp--ssccaann being used to scan the local network
after configuring the network interface with DHCP using _p_u_m_p.
# pump
# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:D0:B7:0B:DD:C7
inet addr:10.0.84.178 Bcast:10.0.84.183 Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:46335 errors:0 dropped:0 overruns:0 frame:0
TX packets:1542776 errors:0 dropped:0 overruns:0 carrier:0
collisions:1644 txqueuelen:1000
RX bytes:6184146 (5.8 MiB) TX bytes:348887835 (332.7 MiB)
# arp-scan --localnet
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.4 with 8 hosts (http://www.nta-monitor.com/tools-resources/security-tools/arp-scan/)
10.0.84.179 00:02:b3:63:c7:57 Intel Corporation
10.0.84.177 00:d0:41:08:be:e8 AMIGO TECHNOLOGY CO., LTD.
10.0.84.180 00:02:b3:bd:82:9b Intel Corporation
10.0.84.181 00:02:b3:1f:73:da Intel Corporation
4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.4: 8 hosts scanned in 0.820 seconds (9.76 hosts/sec). 4 responded
AAUUTTHHOORR
Roy Hills <[email protected]>
SSEEEE AALLSSOO
ggeett--oouuii(1)
ggeett--iiaabb(1)
aarrpp--ffiinnggeerrpprriinntt(1)
RRFFCC 882266 - An Ethernet Address Resolution Protocol
_h_t_t_p_:_/_/_w_w_w_._n_t_a_-_m_o_n_i_t_o_r_._c_o_m_/_w_i_k_i_/ The arp-scan wiki page.
_h_t_t_p_s_:_/_/_g_i_t_h_u_b_._c_o_m_/_r_o_y_h_i_l_l_s_/_a_r_p_-_s_c_a_n The arp-scan homepage.
August 13, 2016 ARP-SCAN(1)