ARP scanning of the Linux local network

You often need to know which devices are connected to your network. This is the case if you want to connect to one of your PCs and have no clear idea of its address, or if you just want to make sure that your network is secure or not, or if you want to find all hidden devices. You can find all connected devices, including hidden devices, by using ARP scanning.

What is ARP

ARP (Address Resolution Protocol) is a protocol used in computer networks for communication between network nodes. It is used to map the IP addresses of network devices to their physical MAC addresses. When a node on a network wants to send data to another node, it uses ARP to determine the MAC address of the recipient based on its IP address.

In Linux, the ARP table is stored in RAM and contains matches between the IP addresses and MAC addresses of other devices on the network. You can view the contents of the ARP table in Linux by using the arp -a command. Linux provides tools to perform ARP operations, such as adding static ARP entries or clearing the ARP cache. ARP is an important element in the operation of TCP/IP networks and plays a crucial role in communication between devices on a local network.

Scanning with ARP

Every computer network has an IP address - everyone knows that. Have you ever wondered which computer is assigned a specific address? It is known that there are different networks - wired, wireless, ppp. In each network, the hardware address of the computing machine has a different format, which depends on the design features of the local network.

Let's explain, everything is actually very simple. To convert the physical address to IP is provided ARP, Simply put, it is an address resolution protocol. When a computer enters the network, it makes a request to the other PCs, and asks the question - ""Who has an IP address XXX.XXX.X.X.X". Its answer is not ignored, but it looks a little different - "I do, my address is xx:xx:xx:xx:xx:xx". That is, a physical address is sent in response. This address is entered into a special table.

It should be said that the format of ARP messages is extremely simple. The message hides either a request with an IP address or a response. The size of the message depends on the protocol - IPv4 or IPv6, the type of network equipment. The message header specifies the types and sizes of these messages. The header ends with a message code. For a request, the code is 1, and for a response, the code is 2. The message body contains the four addresses, hardware and network addresses, belonging to the sender and the receiver.

Installing the utility

The ARP Scan utility, also called MAC Scanner, is a handy, functional tool for scanning a Linux LAN with ARP. The program displays Pv4 addresses of network devices. The peculiarity of ARP is that it does not involve routing. This type of scanning is suitable only for local networks. The program detects active devices, computers cannot hide from ARP. If a computer needs to be detected outside the local network, ping scanning is used.

Network Scanner is available for the following OS:

1. Debian;
2. Ubuntu;
3. Fedora;
4. RedHat;
5. Gentoo;
6. ArchLinux.

To install, we will perform:

$ sudo apt install arp-scan

Scan

With the help of the program you will be able to find all active computers, both in wired ethernet networks and in wireless Wifi networks. functionality is provided for working with Token Ring and FDDI. PPP and SLIP connections are not provided, as there is no ARP in them. You should work with the utility under superuser rights.

At the beginning we find out the network interface using the ip program:

$ ip addr list

We see here enp24s0. The easiest way to do this with ARP, performing a scan and go every PC connected to the network - run the program, setting the parameters:

$ sudo arp-scan --interface=enp24s0 --localnet

We see the parameter --interface, specifying the scanning interface, and --localnet, indicating to apply all possible IP addresses for the current network.

If we set aside the first parameter, then the program will search for all nodes for the interface with a lower number in the system. In our case this is enp24s0.

Instead of the --localnet parameter, you can specify the network mask:

$ sudo arp-scan --interface=enp24s0 10.0.1.0/24

ARP is also suitable if the interface does not have its own IP address. In this case, the outgoing address is 0.0.0.0.0. But not all systems will respond to such a request Therefore, in this situation, the scanner will be ineffective.

Why ARP does not work

There are several reasons why ARP may not work properly on a network. Some of the most common problems include:

1. IP address conflict: If two devices on the network are using the same IP address, this can cause an ARP conflict.
2. Incorrect network configuration: Incorrect IP addressing, subnets, or gateway settings can cause ARP to fail.
3. Network hardware problems: Faulty switches, routers, or NICs can cause ARP to malfunction.
4. Security or filtering settings on network devices can block ARP packets.
5. Attackers can use attacks such as ARP poisoning or ARP flooding, which can also cause ARP performance problems on the network.

To diagnose and troubleshoot ARP problems, it is recommended to check network hardware settings, analyze IP addressing configuration, and use tools to monitor and analyze network traffic.