Looking for arp scanner

Christopher Black cblack at securecrossing.com
Wed Jun 29 23:42:25 GMT 2005

On Wed, 2005-06-29 at 16:30 -0700, Glenn Dawson wrote:
> At 03:45 PM 6/29/2005, Vince Hoffman wrote:
> >On Wed, 29 Jun 2005, Fabian Anklam wrote:
> >
> >>On 6/29/05, Glenn Dawson <glenn at antimatter.net> wrote:
> >>>At 02:18 PM 6/29/2005, Fabian Anklam wrote:
> >>>>Hi there,
> >>>>
> >>>>I've browsing freshports.org for an arp scanner and found only
> >>>>arpscan, which is marked broken and knowlan, which hasn't been updated
> >>>>in years. What's the tool of choice to map out IP-Adresses on a subnet
> >>>>when you know that quite a few hosts are firewalled from ping?
> >>>
> >>>Try nmap.  It has a variety of different ways to "look" for systems on a
> >>>given subnet.
> >>Thanks. Tried nmap. As I said, some systems that i want to have in my
> >>output are locally firewalled and  I doubt the -sP switch catches
> >>them. Port scans are out of the question.
> >
> >Thinking about it even if the host blocks ping then it will have to reply 
> >to an arp request. so make a short script to clear the arp cache ('arp -a 
> >-d' as root) then do your nmap -sP xxx.xxx.xxx.xxx/yyy and do an arp -a
> >which will list all the arp entries in your arp cache (should be every 
> >host that responded to an arp request when you did the ping scan but maybe 
> >pipe it through grep to only get the arps for ips in that range)
> >
> >also arping may be of use.
> I suppose if you need to be totally passive, you could do:
> tcpdump -i fxp0 arp
> (assuming of course that your network interface is on fxp0)
> and let it run for a bit.  Eventually you'll catch all the active hosts on 
> the network.
> -Glenn
> >Vince
> >
> >>
> >>>-Glenn
> >>>
> >>>
> >>>>Thanks, Fabian

Try putting this in a file called map.pl, and execute 'perl map.pl >
map.txt'.  It'd be better if it were mutli-threaded for speed and could
parse a subnet mask, but this is a start.  Be sure to edit the path to
arping if need be, change the 'wi0' in the ARPING_ARGS to whatever your
interface is, and set the subnet you want to search.  Good luck.

#!/usr/bin/perl -w
use strict;

my $ARPING = '/usr/local/sbin/arping';
my $ARPING_ARGS = '-i wi0 -c 1 -r';
my $BASEIP = '192.168.1';

print "Scanning...\n";
my $i;
for( $i=1; $i < 256; $i++ ){
        if( `$ARPING $ARPING_ARGS $BASEIP\.$i` ){
                print "$BASEIP.$i\n";
print "Done.\n";

Christopher Black
Chief Security Engineer
Secure Crossing
22750 Woodward Suite 304 - Ferndale, MI 48220
Tel (800) 761-4299 | Direct (248) 658-6120
cblack at securecrossing.com | www.securecrossing.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20050629/4efdeb96/attachment.bin

More information about the freebsd-questions mailing list