Using ARP for Network Recon
Network Sleuth

© Lead Image © Andrea De Martin, 123RF.com
When it comes to network recon, arp-scan allows you to collect device intel quickly and stealthily.
The most obvious thing system administrators and hackers have in common is the need for network reconnaissance (recon). In both cases, such recon needs to be carried out as quickly and with as little impact to users as possible. One such recon technique involves finding every network-connected device on a subnet. You might think that this is an easy task, but it isn't. The first tool everyone thinks of is ping. However, ping can be, and usually is, blocked from use against important network-connected devices such as routers, firewalls, switches, intrusion detection appliances, intrusion prevention appliances, servers, and even workstations. Ping is not an effective tool for finding every network-connected device. Instead, an effective solution is to use the Address Resolution Protocol (ARP). ARP maps IP addresses to MAC (hardware) addresses.
ARP is effective in finding all network-connected devices, because you cannot block ARP. ARP must be allowed on a network for proper host-to-host communications. It is this feature (or flaw) that makes ARP a valuable reconnaissance tool. Fortunately, some clever programmers developed an easy-to-use, command-line tool, called ARP Scan (arp-scan
), that makes quick work of this type of reconnaissance. The only limitation of using ARP in this manner is that its use is confined to a local subnet. In other words, you can scan all devices on the 192.168.1.0/24 subnet, but you cannot scan the 192.168.2.0/24 network unless you scan from one of those 192.168.2.xxx addresses. To put it simply: ARP is non-routable.
ARP Provides a Wealth of Information
Although arp-scan
is a very versatile tool, my use of it is usually limited to the following five general usage scenarios:
[...]
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

News
-
Akamai Will Host kernel.org
The organization dedicated to cloud-based solutions has agreed to host kernel.org to deliver long-term stability for the development team.
-
Linux Kernel 6.14 Released
The latest Linux kernel has arrived with extra Rust support and more.
-
EndeavorOS Mercury Neo Available
A new release from the EndeavorOS team ships with Plasma 6.3 and other goodies.
-
Fedora 42 Beta Has Arrived
The Fedora Project has announced the availability of the first beta release for version 42 of the open-source distribution.
-
Dash to Panel Maintainer Quits
Charles Gagnon has stepped away as maintainer of the popular Dash to Panel Gnome extension.
-
CIQ Releases Security-Hardened Version of Rocky Linux
If you're looking for an enterprise-grade Linux distribution that is hardened for business use, there's a new version of Rocky Linux that's sure to make you and your company happy.
-
Gnome’s Dash to Panel Extension Gets a Massive Update
If you're a fan of the Gnome Dash to Panel extension, you'll be thrilled to hear that a new version has been released with a dock mode.
-
Blender App Makes it to the Big Screen
The animated film "Flow" won the Oscar for Best Animated Feature at the 97th Academy Awards held on March 2, 2025 and Blender was a part of it.
-
Linux Mint Retools the Cinnamon App Launcher
The developers of Linux Mint are working on an improved Cinnamon App Launcher with a better, more accessible UI.
-
New Linux Tool for Security Issues
Seal Security is launching a new solution to automate fixing Linux vulnerabilities.