from config.log

configure:4969: checking whether long long int is 64 bits
[cross-compile branch is taken]
configure:5027: i486-linux-musl-gcc -L/home/sabotage/www/building/lib -isystem ...
conftest.c:58:1: warning: return type defaults to 'int' [-Wreturn-type]
conftest.c: In function 'main':
conftest.c:59:3: warning: implicit declaration of function 'exit' [-Wimplicit-function-declaration]
conftest.c:59:3: warning: incompatible implicit declaration of built-in function 'exit' [enabled by default]

exit() is declared by stdlib.h, but on GLIBC it somehow gets magically pulled in when including stdio.h, which is a namespace violation. on musl not, and so this warning is raised.
that would mean if i have -Werror-implicit-function-declaration in my CFLAGS, the configure check would fail because of that warning and the result would be misinterpreted, either giving me a broken build or not even letting me get there.

unfortunately i was not able to find where in configure.ac the code to compile in the cross-compile scenario comes from, so i couldnt make a PR.

Hello,
My name is Saurabh Kukade. I am student of computer science student.
I am working on project concerning distributed computing.
So while using arp-scan, i am stucked at certain situation so i am wondering about behavior of arp-scan. I am explaining it below.

Situation.

    -> I have 3 separate machines having unique Mac addr.
    -> 3 of them has same IP address and they are connected through unmanaged switch.        
    -> if i run 'arp-scan -l' on any of machines from among
    -> if i run 'arp-scan -l' any of those machines then i don't get mac  addressees of remaining 2 machines.

Problem:
    -> My  requirement is to get the mac addresses of other machines in my local network which have same ip as my machine.

So, what can i do for this. and i am curious that why arp-scan tool fails to do that.

The link to documentation, now just redirects to intertek's the home page. Can't find docs anywhere on that domain. What's the correct source for documentation these days?

I would actually expect for completeness to have the MAC of the interface used for scanning and its corresponding IP address listed as part of the scan results in cases like --localnet.
In fact this MAC can only be seen using -v -v options.
Is there some special reason this is not included? Could there at least be a switch to include / exclude it with whatever default?

Thanks
Emil

Hello.

arp-scan did not work on sub interfaces like this eth1:XXX.
I'm get error
ERROR: Could not find interface: eth1:0
ERROR: Check that the interface exists and is up

i just noticed that you recently updated NEWS and refer to a version 1.9.5.
there doesnt seem to be a corresponding git tag with a release tarball attached, nor can i find a release tarball apart from 1.9 which is the last tagged release here on github.
am i missing something ?

configure: Cannot find pcap library containing pcap_open_live
configure: error: Check that you have libpcap version 1.5 or later installed

I have installed libpcap 1.10.0-1 and libpcap-dev 1.10.0-1 libraries. Please help

It would be a great feature addition to be able to set (override the default) DNS server used in arp-scan lookups.

I have this issue again : #44
This is on a new Kali installation. I tried your suggestions (which worked fine on my other device), but now they dont work.
Manual installation goes without errors. After install I do arp-scan -- help and i get an error:
bash: /usr/sbin/arp-scan: file or folder does not exist

Hi,
I am using arp-scan for a short time,( by the way , greap tool for all most everything), and i stumble upon this thing, could be a bug , not sure :
when i am trying to scan LAN with wireless interface, i am not getting any clients not even the gateway. i tryed to change router config, thinking that there might be some rule in firewall, that might block the arp but i didn't find anything( i flushed iptables and it still didn't work ).
hardware description :
Wireless interface : ALFA Netrwork- AWUS036H
OS : debian, Kali, Fedora( i have checked in different OSes just to verify)
Router: TP-Link 1043 with openwrt 12.09 on it.
If any other info is needed please notify.
thanks in advance

wget -c http://www.nta-monitor.com/files/arp-scan/arp-scan-1.9.tar.gz
Connecting to www.nta-monitor.com (165.160.13.20:80)
Connecting to nta.intertek.com (45.223.17.214:80)
Connecting to nta.intertek.com (45.223.17.214:443)
wget: bad header line: XZBOTalC: rtM; path=/; Max-Age=900

When using arp-scan in conjunction with other tools via piping, one has to strip the output from the header and the footer.
E.g. when I want to get all the MAC addresses in my LAN I would like to run this:

sudo arp-scan --localnet --quiet | awk '{print $2}' | sort -u

but currently I have to run this:

sudo arp-scan --localnet | tail -n +3 | head -n -3 | awk '{print $2}' | sort -u

Hello I am downloading the oui file like this:

wget http://standards.ieee.org/regauth/oui/oui.txt

and then running:

arp-scan --localnet -O oui.txt 

which is returning a lot of:

WARNING: Could not parse oui: ...

Running on a linux VM and executing sudo /usr/sbin/arp-scan -g -r 2 -B 1M 10.0.0.0/8 192.168.0.0/16 169.254.0.0/16 172.16.0.0/12 arp-scan sometimes fails with ERROR: failed to send packet: Resource temporarily unavailable This typically happens early in the scan, but not immediately, say after 5-15 hosts are enumerated, but within minutes rather than the 4-5 hours the full scan takes at -B 1M.
It seems to be more reliable at lower scan rates, as one would expect from the error, but not reliably so - for example scans completed at -B 10M (after much less time, of course).

Is there some way to make the process robust against this error - there's no indication that fall back does anything and running -vvv just generates an unusable amount of data (plus I suspect the hobble of writing to stdio sufficiently slows the process to reduce the risk of barfing).

ETH0 is a 10G optical link, so it isn't getting close to saturating the link even at 10M. Also, the system seems quite responsive even at 10M and there's no indication in top that resources are being problematically consumed even at 10M, let alone at 1M.

top - 02:26:16 up 1 day, 34 min,  5 users,  load average: 0.23, 0.20, 0.22
Tasks: 462 total,   1 running, 375 sleeping,   0 stopped,   0 zombie
%Cpu(s):  0.7 us,  0.7 sy,  0.0 ni, 94.9 id,  3.6 wa,  0.0 hi,  0.0 si,  0.0 st
KiB Mem : 10232420 total,   814092 free,  7975620 used,  1442708 buff/cache
KiB Swap:  4038652 total,  4030192 free,     8460 used.  1880320 avail Mem

I tried building master rather than using the distro version - same version number (1.9) so maybe that will help, but I don't see anything referencing this error message.

I hit this bug:

# arp-scan --interface eth0 10.0.84.2/32 && echo -ne "\n\n\n" && ping -c 1 10.0.84.2
Interface: eth0, datalink type: EN10MB (Ethernet)                                                                                                    
Starting arp-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/arp-scan/)                                                                      
                                                                                                                                                     
0 packets received by filter, 0 packets dropped by kernel                                                                                            
Ending arp-scan 1.9: 1 hosts scanned in 3.468 seconds (0.29 hosts/sec). 0 responded                                                                  
                                                                                                                                                     
                                                                                                                                                     
                                                                                                                                                     
PING 10.0.84.2 (10.0.84.2) 56(84) bytes of data.                                                                                                     
64 bytes from 10.0.84.2: icmp_seq=1 ttl=64 time=3.67 ms                                                                                              
                                                                                                                                                     
--- 10.0.84.2 ping statistics ---                                                                                                                    
1 packets transmitted, 1 received, 0% packet loss, time 0ms                                                                                          
rtt min/avg/max/mdev = 3.674/3.674/3.674/0.000 ms

It fails to detect it put it is pingable..

I'm making something similar to arp-scan (but under the same license as libpcap, BSD3)
and think it'd be very useful to have a portable way to get an interface's MAC address.

Since arp-scan has portable code for this, and uses libpcap, perhaps you could be convinced to add it to libpcap under their license?

Thanks, Evils.

There is a double entry for 00-01-c8

00-01-C8 CONRAD CORP.
00-01-C8 THOMAS CONRAD CORP.

is that correct?

It would save time on large networks. E.g. with arp-scan --stop-if-reachable=1 -NqI wlan0 192.168.8.0/24, if router responds at 192.168.8.10 do not retry and wait for timeout on other hosts.

Also return non-zero code if no host is reachable so that something like | grep -q ' 0 responded' is not needed.

more info at
https://bugzilla.redhat.com/show_bug.cgi?id=1359953

$ arp-scan
Segmentation fault (core dumped)

does it supposed to work without root permissions ?

I'm proposing to have passive scan instead of active, in this mode arp-scan will going to sniff on given interface to log all broadcast packets.

It's prevent arp-scan to be detected.

checking whether long int is 64 bits... no                                      
checking whether long long int is 64 bits... yes                                
checking snprintf format for long long int... cannot test (not on host machine) 
configure: error: cannot determine snprintf format string for long long int     

the test is not even necessary, the format for long long int is always "%lld"

arp-scan reports 2 IP but with the same mac when a machine has 2 interfaces. It is expected that each IP is listed with its associated mac.

arp-scan -I enp1s0 -l 
Interface: enp1s0, type: EN10MB, MAC: 74:86:7a:xx:xx:xx, IPv4: 192.168.44.115
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
[...]
192.168.44.103	bc:14:ef:yy:yy:yy	ITON Technology Limited
192.168.44.149	bc:14:ef:yy:yy:yy	ITON Technology Limited

11 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 2.125 seconds (120.47 hosts/sec). 11 responded

This machine, an rpi device has one wifi interface and an (usb) ethernet one.

The wifi interface mac is:

b8:27:eb:zz:zz:zz

with ip as 192.168.44.103

The expected output is:

192.168.44.103	b8:27:eb:zz:zz:zz	Raspberry Pi Foundation
192.168.44.149	bc:14:ef:yy:yy:yy	ITON Technology Limited

Hello,

Commit 5fc969d introduced a regression:

arp-scan -l -I eth0:0
ERROR: Could not find interface: eth0:0
ERROR: Check that the interface exists and is up

There's a pretty simple workaround by using -s:

arp-scan -l -s 10.10.10.160 -I eth0:0
Interface: eth0:0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
10.10.10.1  00:30:18:a8:bd:c1   Jetway Information Co., Ltd.
10.10.10.16 00:15:17:64:23:fc   Intel Corporate
10.10.10.18 ee:69:48:f9:ba:14   (Unknown)
....

But I think the old behavior was better.

Would it be possible to use capabilities on Linux instead of always running as root?
Wireshark's dumpcap uses the same configuration.
This enables arp-scan to be used without root permissions.

I would be willing to submit a pull request for this if you're interested.

Hello team,
I have found a issue with the arp-scan which may potentially be executed for a buffer overflow attack.
Whenever I run arp-scan on ubuntu 17.04 it crases with segmentation fault and with a sigsegv fault.
Thank you

When the utun0 interface is active, which apparently belongs to OS X Back To My Mac (see ifconfig), arp-scan doesn't work, even if you use your default gateway's router IP address accessed via en1 or en0. arp-scan just doesn't comply and wants to penetrate utun0. And so I get the error message "ERROR: Could not obtain MAC address for interface utun0". When I switch off Back To My Mac in System Preferences > iCloud, the utun0 interface disappears, and arp-scan works normally again. Well, this is clearly a bug.

Hi royhills,

My setup is a local network with various devices (desktops and laptops) that are connected through either LAN or WIFI or BOTH, each interface with its own IP address from a DHCP server. The arp-scan listing of the localnet has a "bug" as the MAC addresses corresponding to those distinct IPs on the same host are wrongly identified as duplicate of the "previous"/"active" interface.

Here is an edited example from Ubuntu 20.04, but same behaviour is also present on Debian 10 Buster
(please note the wrong identical - generic - MAC addresses "gg:gg:gg:gg:gg:gg" and "nn:nn:nn:nn:nn:nn" listed below from devices with both LAN and WIFI when "simultaneously" connected to same network)

==============================================================
somebody@somewhere:~$ sudo arp-scan -l
Interface: wlp4s0, type: EN10MB, MAC: xx:xx:xx:xx:xx:xx, IPv4: 192.168.2.121
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.2.109 aa:aa:aa:aa:aa:aa SmartRG, Inc.
192.168.2.118 bb:bb:bb:bb:bb:bb SmartRG, Inc.
192.168.2.119 cc:cc:cc:cc:cc:cc Wistron InfoComm(Kunshan)Co.,Ltd.
192.168.2.127 dd:dd:dd:dd:dd:dd Cisco-Linksys, LLC
192.168.2.134 ee:ee:ee:ee:ee:ee Hewlett Packard
192.168.2.137 gg:gg:gg:gg:gg:gg Hewlett Packard
192.168.2.140 gg:gg:gg:gg:gg:gg Hewlett Packard
192.168.2.141 hh:hh:hh:hh:hh:hh ASUSTek COMPUTER INC.
192.168.2.126 kk:kk:kk:kk:kk:kk Apple, Inc.
192.168.2.137 nn:nn:nn:nn:nn:nn Intel Corporate (DUP: 2)
192.168.2.140 nn:nn:nn:nn:nn:nn Intel Corporate (DUP: 2)

11 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 2.038 seconds (125.61 hosts/sec). 11 responded

Cheers and Thanks for your insight!

The scan is unreliable. I get sometimes 1 device, 2 devices with duplicate or no device at all.
I am scanning connected devices on WLAN.

In my test, I used an Android v6.0.1 phone connected to the hostapd

This is my wlp4s0 interface:

root@siconmartin:~# ip addr | grep wlp4s0 
4: wlp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 
    inet 192.168.99.10/24 brd 192.168.99.255 scope global wlp4s0

These are the test results:

root@siconmartin:~# arp-scan --interface wlp4s0 192.168.99.10/24
Interface: wlp4s0, datalink type: EN10MB (Ethernet) 
Starting arp-scan 1.8.1 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/) 
 
0 packets received by filter, 0 packets dropped by kernel 
Ending arp-scan 1.8.1: 256 hosts scanned in 2.625 seconds (97.52 hosts/sec). 0 responded 
Starting arp-scan 1.8.1 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.99.100  1c:23:2c:e0:34:7b       (Unknown)
192.168.99.100  1c:23:2c:e0:34:7b       (Unknown) (DUP: 2)

root@siconmartin:~# arp-scan --interface wlp4s0 192.168.99.10/24
Interface: wlp4s0, datalink type: EN10MB (Ethernet)
WARNING: host part of 192.168.99.10/24 is non-zero
Starting arp-scan 1.8.1 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
 
0 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.8.1: 256 hosts scanned in 4.546 seconds (56.31 hosts/sec). 0 responded
root@siconmartin:~# arp-scan --interface wlp4s0 192.168.99.10/24
Interface: wlp4s0, datalink type: EN10MB (Ethernet)
WARNING: host part of 192.168.99.10/24 is non-zero
Starting arp-scan 1.8.1 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.99.100  1c:23:2c:e0:34:7b       (Unknown)

1 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.8.1: 256 hosts scanned in 1.932 seconds (132.51 hosts/sec). 1 responded
root@siconmartin:~# arp-scan --interface wlp4s0 192.168.99.10/24
Interface: wlp4s0, datalink type: EN10MB (Ethernet) 
WARNING: host part of 192.168.99.10/24 is non-zero 
Starting arp-scan 1.8.1 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/) 
192.168.99.100  1c:23:2c:e0:34:7b       (Unknown) 


1 packets received by filter, 0 packets dropped by kernel 
Ending arp-scan 1.8.1: 256 hosts scanned in 2.586 seconds (98.99 hosts/sec). 1 responded 
root@siconmartin:~# arp-scan --interface wlp4s0 192.168.99.10/24 
Interface: wlp4s0, datalink type: EN10MB (Ethernet) 
WARNING: host part of 192.168.99.10/24 is non-zero 
Starting arp-scan 1.8.1 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/) 
192.168.99.100  1c:23:2c:e0:34:7b       (Unknown) (DUP: 1) 

Hi,
I'm an arp-scan user, I'm having a problem with arp-scan, after search on the internet, did not find the answer, here comes to you, hopefully, I can get help from you!
I'm running arp-scan on a router device. The ifconfig displayed the following result:

br0 Link encap:Ethernet HWaddr B0:6E:BF:3E:9D:38
inet addr:192.168.0.126 Bcast:192.168.1.255 Mask:255.255.254.0
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:16757261 errors:0 dropped:0 overruns:0 frame:0
TX packets:4559854 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1446934911 (1.3 GiB) TX bytes:1579427140 (1.4 GiB)
eth0 Link encap:Ethernet HWaddr 00:50:56:36:45:97
inet addr:77.70.63.235 Bcast:77.70.63.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:18715176 errors:0 dropped:0 overruns:0 frame:0
TX packets:6373130 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3364360180 (3.1 GiB) TX bytes:3132681713 (2.9 GiB)
Interrupt:179 Base address:0x4000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MULTICAST MTU:16436 Metric:1
RX packets:173801 errors:0 dropped:0 overruns:0 frame:0
TX packets:173801 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:32577390 (31.0 MiB) TX bytes:32577390 (31.0 MiB)
tun21 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:24174 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:9643272 (9.1 MiB)

I ran arp-scan like this:
arp-scan" --interface=tun21 --localnet -g -q -r1

id displayed:
ERROR: Could not obtain MAC address for interface tun21

look, the mac for tun21 is "00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00", but somebody said it dont matter, can you tell me what is the problem ?

Thank you very much!

P

The RTT value is separated from the previous output column (OUI manufacturer lookup for example) with a single "hardcoded" tab, which produces a scattered output of RTT (not vertically aligned). The problem is exaggerated by the fact that the manufacturter strings are of varying lengths with variations that can be greater than multiple tabstop lengths.

step to reproduce

reload the OUI and the IAB database on a centos7 (nethserver7)

[root@prometheus ~]# /usr/sbin/get-oui
Could not get OUI data from http://standards.ieee.org/develop/regauth/oui/oui.txt
[root@prometheus ~]# /usr/sbin/get-iab
Could not get IAB data from http://standards.ieee.org/develop/regauth/iab/iab.txt

If I use this url in a browser, I am redirected to http://standards-oui.ieee.org/oui/oui.txt and http://standards-oui.ieee.org/iab/iab.txt, but following the server the redirection fails

This is something we cannot determine when it works or when it fails, we have a thread on our community, and following the server we have the issue or not https://community.nethserver.org/t/get-oui-and-get-iab-issue/11085

We could monitor when the issue started, because we have this bash command in a cron.monthly job, the first time we saw it was on early September.

If I specify the end url, I can load the database

/usr/sbin/get-oui -u http://standards-oui.ieee.org/oui/oui.txt
/usr/sbin/get-iab -u http://standards-oui.ieee.org/iab/iab.txt

If you have an explanation of what is occurring ?

Hello. I don't know if it is a expected behaviour but at least it's a strange one. Once arp-scan finished a simple scan (arp-scan -I enp0s3 -l), when I run ip neigh show I can't see any of the several hosts arp-scan has found. Thanks a lot

PD: I'm using v1.9.7 downloaded from Fedora 34's official repository

I am getting this error when trying to compile:

configure: Cannot find pcap library containing pcap_open_live
configure: error: Check that you have libpcap version 0.9 or later installed

I have version 1.7.4 installed, but it doesn't seem to pick it up? Any ideas?

I am on Alpine Linux

Built from tar-ball arp-scan-1.9.tar.gz and installed on

Raspbian GNU/Linux 8.0 (jessie)
(GNU/Linux 4.4.13-v7+ armv7l)

arp-scan --version reports:

arp-scan 1.9

Copyright (C) 2005-2013 Roy Hills, NTA Monitor Ltd.
arp-scan comes with NO WARRANTY to the extent permitted by law.
You may redistribute copies of arp-scan under the terms of the GNU
General Public License.
For more information about these matters, see the file named COPYING.

libpcap version 1.6.2
$Id: arp-scan.c 19582 2013-04-28 17:11:17Z rsh $
$Id: error.c 19550 2013-04-15 09:24:42Z rsh $
$Id: wrappers.c 19550 2013-04-15 09:24:42Z rsh $
$Id: utils.c 19550 2013-04-15 09:24:42Z rsh $
$Id: link-packet-socket.c 19578 2013-04-25 15:44:27Z rsh $

Some URLs in arp-scan --help are no longer valid:
http://standards.ieee.org/regauth/oui/ieee-oui.txt shows:

Sorry, but the page you have requested

    http://standards.ieee.org/regauth/oui/ieee-oui.txt

does not exist on this site.

You may want to type in a description of what you were looking for at our search engine.
This software is maintained by IEEE Standards Systems/Network Staff.

In the man page of get-oui the URL is OK:
http://standards.ieee.org/regauth/oui/oui.txt
So the flename should be oui.txt not ieee-oui.txt

Another URL no longer valid is:
http://www.nta-monitor.com/tools/arp-scan/

Results in:

Not Found

The requested URL /tools/arp-scan/ was not found on this server.

Not sure if this URL should be removed. The wiki holds the information.

Mysql is using an old method of communication that isn't secure therefore the hosting website is denying access.

There were tons of bug fixes and nice updates since 2013. Would it be possible to make a new release of this software?

The reason I'm asking for is that some linux distributions (void linux in my case) only accept packages in released versions - therefore I would have to pick all the relevant commits and include them as patches manually. Having a new version released would safe me a lot of time.

Hi,
arp-scan seem to be incompatible with last libpcap-1.9.1.
App don't crash but produces empty output. If I install old version of libpcap-1.9.0 everything becomes back as expected.

[EDIT] OS: Linux 5.3.4-arch1-1-ARCH

Regards
Fred.

Here is a fix:

-         warn_msg("WARNING: \"%s\" is not a valid IPv4 address - target ignored");
+         warn_msg("WARNING: \"%s\" is not a valid IPv4 address - target ignored", host_name);

Hey, It would be awesome to get a new release. Not too much has happened in the meanwhile but some small fixes and improvements plus the use after free bug etc.

would be awesome to just hit the button and get new upgrades into the distros :D

Example

sudo arp-scan --interface=ens160 --vlan=1 192.168.1.20 --arpspa=0.0.0.0
Interface: ens160, type: EN10MB, MAC: 00:0c:29:93:f0:c3, IPv4: (none)
Starting arp-scan 1.9.7 with 1 hosts (https://github.com/royhills/arp-scan)
192.168.1.20	00:50:56:9b:6d:c6	VMware, Inc. (802.1Q VLAN=10)

7 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 1 hosts scanned in 0.303 seconds (3.30 hosts/sec). 1 responded

With a pcap, it appears the arp request isn't honoring the --arpspa flag and is shows up as Who has 192.168.1.20 Tell 192.168.1.234 instead of Who has 192.168.1.20? (ARP Probe)

In the above, 1.234 is assigned to vlan.10@ens160 / vlan tagged interface.

Hey arp-scan'ers - we've got an internal service that uses arp-scan, which we love (good work!). That service is currently using CentOS 7.x userspace.

We're looking to upgrade that service to CentOS 8.x userspace, and I don't see anything in either CentOS 8.x streams or EPEL 8 for arp-scan.

Is that intentional? If so, is the recommended approach to build and install independently? Or is there another yum compatible stream available?

For embedded Linux where space is a constraint it would be good if the hashtable used standard <search.h> hashtable functions.

Running arp -a doesn't show any of the discovered hosts from the arp-scan. Is there an option to make this happen?

arp-scan worked fine always, but from today i dont get any results anymore. This happened after the latest Kali update. It scans but returns no results, no devices are found. Network looks fine, I can ping all devices.
Where do I need to check to fix?
EDIT when I do nmap -sn RANGE then I can find my devices. Only issue is with arp-scan now.

I'm scanning the local network.

sudo arp-scan --interface wlp3s0 -l -vvvv -L -N -r1

It seems that I get DUP: 1 entries when packets are received after the timeout.

---	Removing host 192.168.50.245 - Timeout
---	Removing host 192.168.50.246 - Timeout
---	Received packet #1 from 192.168.50.238
192.168.50.238	88:57:1d:87:7c:37	Some company (DUP: 1)
---	Removing host 192.168.50.238 - Received 42 bytes
***	remove_host called on non-live host: SHOULDN'T HAPPEN
---	Received packet #1 from 192.168.50.222
192.168.50.222	4c:17:44:22:fe:84	Some company (DUP: 1)
---	Removing host 192.168.50.222 - Received 42 bytes
***	remove_host called on non-live host: SHOULDN'T HAPPEN

Most logical to me would be to adjust the message. If he->num_recv is equal to one, it's not a duplicate message, but a message that is received after the timeout.

      if (!he->live) {
         cp = msg;
         msg = make_message("%s (DUP: %u)", cp, he->num_recv);
         free(cp);
      }

This is just using arp-scan-1.9.7 the default on Ubuntu, but the precise version doesn't matter here I think. It would be great if the console log would be more precise here.

Now:

192.168.50.83	ec:e5:12:12:60:36	Some company (DUP: 1)

Towards something like this:

192.168.50.83	ec:e5:12:12:60:36	Some company (Received after timeout)

arp-scan now prints "(Unknown)" for locally administered addresses / OUIs (so: with the second-least-significant bit of the first octet of the address set to 1 , see https://en.wikipedia.org/wiki/MAC_address#Universal_vs._local)

I think it would be better if arp-scan would print "(Unknown: locally administered)". That would avoid that people (like me) would search for an updated OUI list...

With three lines of C code in arp-scan.c I was able to achieve this. See below.

So:

• would you like to add this feature to arp-scan?
• if so, shall I send a PR?

Old:

sander@netbook:~/git/arp-scan$ sudo ./arp-scan --localnet --interface=eth1
Interface: eth1, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9.5 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.0.1	64:d1:a3:1d:76:33	Sitecom Europe BV
192.168.0.108	02:01:9c:45:40:2d	(Unknown)
192.168.0.111	00:11:32:15:7f:60	Synology Incorporated
192.168.0.117	18:f4:6a:9c:ce:d4	Hon Hai Precision Ind. Co.,Ltd.
192.168.0.105	ac:cf:23:12:1d:85	Hi-flying electronics technology Co.,Ltd
192.168.0.117	18:f4:6a:9c:ce:d4	Hon Hai Precision Ind. Co.,Ltd. (DUP: 2)

6 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.5: 256 hosts scanned in 4.755 seconds (53.84 hosts/sec). 6 responded

New:

sander@netbook:~/git/arp-scan$ sudo ./arp-scan --localnet --interface=eth1
Interface: eth1, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9.5 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.0.1	64:d1:a3:1d:76:33	Sitecom Europe BV
192.168.0.108	02:01:9c:45:40:2d	(Unknown: locally administered)
192.168.0.111	00:11:32:15:7f:60	Synology Incorporated
192.168.0.117	18:f4:6a:9c:ce:d4	Hon Hai Precision Ind. Co.,Ltd.
192.168.0.105	ac:cf:23:12:1d:85	Hi-flying electronics technology Co.,Ltd

5 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.5: 256 hosts scanned in 4.614 seconds (55.48 hosts/sec). 5 responded

arp-scan --interface=en0 --localnet
Interface: en0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9.5 with 512 hosts (https://github.com/royhills/arp-scan)
ERROR: failed to send packet: Bad file descriptor