ARP scanning of a Linux LAN

There is often a need to know which devices are connected to the network. This is necessary if you want to connect to one of the PCs and do not have a clear idea whether its address is, or just want to make sure that your network is safe or not, and also find all hidden devices. You can identify all connected devices, including hidden ones, using ARP scanning.

Scanning with ARP

Every computer network has its own IP address - everyone knows that. Have you ever wondered which computer is assigned a specific address? It is known that there are different networks - wired, wireless, ppp. In each network, the hardware address of the computer has its own format, which depends on the design features of the local network.

Let's explain, everything is really very simple. ARP is provided for converting a physical address to IP, In other words, it is an address resolution protocol. When the computer goes online, it makes a request to the rest of the PC, and asks the question - ""Who has the IP address XXX.XXX.X.X". His answer is not ignored, but it looks somewhat different - "I have my address xx:xx:xx:xx:xx". That is, a physical address is sent in response. This address is entered in a special table.

I must say that the format of ARP messages is extremely simple. The message hides either a request with an IP address, or a response. The message size depends on the protocol - IPv4 or IPv6, the type of network equipment. The message header specifies the types and sizes of these messages. The header ends with the message code. The code is 1 for the request, and 2 for the response. The message body contains four addresses, hardware and network addresses belonging to the sender and recipient.

Installing the utility

The ARP Scan utility is also called MAC Scanner - a convenient, functional tool for scanning a Linux LAN using ARP. The program displays the Pv4 addresses of network devices. The peculiarity of ARP is that it does not involve routing. This type of scanning is only suitable for a local network. The program detects active devices, computers cannot hide from ARP. If the computer needs to be detected outside the local network, ping scanning is used.

The network scanner is available for the following operating systems:

Debian;

Ubuntu;

Fedora;

RedHat;

Gentoo;

ArchLinux.

To install, we will do:

$ sudo apt install arp-scan

Scanning

With the help of the program, you can find all active computers, both in wired Ethernet networks and in wireless Wifi networks. functionality is provided for working with Token Ring and FDDI. No sequence of PPP and SLIP connections is provided, since there is no ARP in them. It is worth working with the utility under superuser rights.

In the beginning, we will learn the network interface using the ip program:

$ ip addr list

We see enp24s0 here. The easiest way to do this with ARP is to scan and exit each PC connected to the network - run the program by setting the parameters:

$ sudo arp-scan --interface=enp24s0 --localnet

We see the --interface parameter specifying the scanning interface, and --localnet indicates that all possible IP addresses should be used for the current network.

If we set aside the first parameter, then the program will search for all nodes for the interface with a smaller number in the system. In our case, this is enp24s0.

Instead of the --localnet parameter, you can specify a network mask:

$ sudo arp-scan --interface=enp24s0 10.0.1.0/24

ARP is also suitable if the interface does not have its own IP address..In this case, 0.0.0.0 is suitable as the outgoing address. But not all systems will respond to such a request, Therefore, in such a situation, the scanner will be ineffective.