Network scanning is a fundamental task for system administrators, network engineers, and security professionals. By scanning a network, one can discover devices connected to it, identify vulnerabilities, and monitor the overall health of the network. Two widely used tools for network discovery and reconnaissance are arp-scan and Netdiscover. Both tools utilize ARP (Address Resolution Protocol) to map out the devices within a network, but they have different features and approaches. This article will explore both tools, their functionalities, and how to use them for network scanning.
Understanding ARP and Its Role in Network Scanning
Before delving into the tools themselves, it’s essential to understand the concept of ARP. ARP is a protocol used to map an IP address to a MAC (Media Access Control) address on a local network. When a device wants to communicate with another device on the same network, it sends an ARP request asking, “Who has IP X?” The device with that IP address responds with its MAC address. This exchange is fundamental for devices to identify and communicate with each other on the local network.
Both arp-scan and Netdiscover use this mechanism to scan networks. They send ARP requests to all the devices within a subnet and listen for responses, allowing them to map out the network’s devices efficiently.
arp-scan
What is arp-scan?
arp-scan is a powerful and versatile network scanning tool that uses ARP requests to identify devices on a local network. Unlike traditional network scanners that may rely on ICMP (ping) or TCP/UDP packets, arp-scan focuses on ARP packets, which are always sent on the local network, making it highly reliable for discovering devices, even if they are configured to ignore ping requests or firewall ICMP traffic.
Installing arp-scan:
# on ubuntu/debian
sudo apt install arp-scan
# on Archlinux
sudo pacman -S arp-scanUsing arp-scan:
Once installed, arp-scan can be run with the following basic syntax:
# Basci syntax
sudo arp-scan [options] <network_range>
# Examples
# scan a local network with the range 192.168.1.0/24,
sudo arp-scan 192.168.1.0/24
# scanning specific network interfaces
sudo arp-scan -I wlan0 -l
# if do not want to print hostname(only mac and ip address)
sudo arp-scan -q -I wlan1 172.168.0.1/24
Netdiscover
What is Netdiscover?
Netdiscover is another network discovery tool, but it is simpler and more lightweight than arp-scan. It is designed to be an easy-to-use tool for detecting devices on a local network using ARP requests. Netdiscover is particularly useful for beginners who need to quickly discover devices within a network without the need for complex configurations.
Key Features of Netdiscover:
- Automatic Range Detection: Netdiscover can automatically detect the network range, making it very user-friendly for those who may not know the exact subnet.
- Passive and Active Scanning: Netdiscover can perform both passive and active scanning. Passive scanning listens for ARP replies from devices already on the network, while active scanning sends ARP requests to identify devices.
- Minimal Configuration: The tool requires minimal setup, making it an ideal choice for simple network discovery tasks.
Installing Netdiscover:
# on debian/ubuntu
sudo apt install netdiscover
# on archlinux
yay -S netdiscover Using Netdiscover:
# simple active scan
sudo netdiscover
# active scan with range
sudo netdiscover -i wlp5s0 -r 172.168.0.1/24
# passive scan (if you want to scan anonymously)
sudo netdiscover -i wlp5s0 -pConclusion
Both arp-scan and Netdiscover are powerful tools for network discovery, leveraging ARP requests to map out devices on a local network. While arp-scan is more feature-rich and customizable, Netdiscover is lightweight and user-friendly. Depending on your needs—whether you’re conducting a simple network audit or performing a more detailed scan—you can choose the tool that best suits your requirements.
