arp-scan
root@bt :~# arp-scan
Interface: eth0, datalink type: EN10MB (Ethernet)
Usage: arp-scan [options] [hosts...]
Target hosts must be specified on the command line unless the --file option is
given, in which case the targets are read from the specified file instead, or
the --localnet option is used, in which case the targets are generated from
the network interface IP address and netmask.
The target hosts can be specified as IP addresses or hostnames. You can also
specify the target as IPnetwork/bits (e.g. 192.168.1.0/24) to specify all hosts
in the given network (network and broadcast addresses included), or
IPstart-IPend (e.g. 192.168.1.3-192.168.1.27) to specify all hosts in the
inclusive range.
These different options for specifying target hosts may be used both on the
command line, and also in the file specified with the --file option.
Options:
--help or -h Display this usage message and exit.
--file=<fn> or -f <fn> Read hostnames or addresses from the specified file
instead of from the command line. One name or IP
address per line. Use "-" for standard input.
--localnet or -l Generate addresses from network interface configuration
Use the network interface IP address and network mask
to generate the list of target host addresses.
The list will include the network and broadcast
addresses, so an interface address of 10.0.0.1 with
netmask 255.255.255.0 would generate 256 target
hosts from 10.0.0.0 to 10.0.0.255 inclusive.
If you use this option, you cannot specify the --file
option or specify any target hosts on the command line.
The interface specifications are taken from the
interface that arp-scan will use, which can be
changed with the --interface option.
--retry=<n> or -r <n> Set total number of attempts per host to <n>,
default=2.
--timeout=<n> or -t <n> Set initial per host timeout to <n> ms, default=100.
This timeout is for the first packet sent to each host.
subsequent timeouts are multiplied by the backoff
factor which is set with --backoff.
--interval=<n> or -i <n> Set minimum packet interval to <n> ms.
This controls the outgoing bandwidth usage by limiting
the rate at which packets can be sent. The packet
interval will be no smaller than this number.
If you want to use up to a given bandwidth, then it is
easier to use the --bandwidth option instead.
The interval specified is in milliseconds by default,
or in microseconds if "u" is appended to the value.
--bandwidth=<n> or -B <n> Set desired outbound bandwidth to <n>, default=256000.
The value is in bits per second by default. If you
append "K" to the value, then the units are kilobits
per sec; and if you append "M" to the value, the
units are megabits per second.
The "K" and "M" suffixes represent the decimal, not
binary, multiples. So 64K is 64000, not 65536.
You cannot specify both --interval and --bandwidth
because they are just different ways to change the
same parameter.
--backoff=<b> or -b <b> Set timeout backoff factor to <b>, default=1.50.
The per-host timeout is multiplied by this factor
after each timeout. So, if the number of retrys
is 3, the initial per-host timeout is 500ms and the
backoff factor is 1.5, then the first timeout will be
500ms, the second 750ms and the third 1125ms.
--verbose or -v Display verbose progress messages.
Use more than once for greater effect:
1 - Show when hosts are removed from the list and
other useful information.
2 - Show each packet sent and received.
3 - Display the host list before scanning starts.
--version or -V Display program version and exit.
--random or -R Randomise the host list.
This option randomises the order of the hosts in the
host list, so the ARP packets are sent to the hosts in
a random order. It uses the Knuth shuffle algorithm.
--numeric or -N IP addresses only, no hostnames.
With this option, all hosts must be specified as
IP addresses. Hostnames are not permitted.
--snap=<s> or -n <s> Set the pcap snap length to <s>. Default=64.
This specifies the frame capture length. This
length includes the data-link header.
The default is normally sufficient.
--interface=<i> or -I <i> Use network interface <i>.
If this option is not specified, the default is the
value of the RMIF environment variable. If RMIF is
not defined, then arp-scan will search the system
interface list for the lowest numbered, configured
up interface (excluding loopback).
The interface specified must support ARP.
--quiet or -q Only display minimal output.
If this option is specified, then only the minimum
information is displayed. With this option, the
OUI file is not used.
--ignoredups or -g Don't display duplicate packets.
By default, duplicate packets are displayed and are
flagged with "(DUP: n)".
--ouifile=<o> or -O <o> Use OUI file <o>, default=/usr/share/arp-scan/ieee-oui.txt
This file provides the IEEE Ethernet OUI to vendor
string mapping.
--iabfile=<i> or -F <i> Use IAB file <i>, default=/usr/share/arp-scan/ieee-iab.txt
This file provides the IEEE Ethernet IAB to vendor
string mapping.
--macfile=<m> or -m <m> Use MAC/Vendor file <m>, default=/usr/share/arp-scan/mac-vendor.txt
This file provides the custom Ethernet MAC to vendor
string mapping.
--srcaddr=<m> or -S <m> Set the source Ethernet MAC address to <m>.
This sets the 48-bit hardware address in the Ethernet
frame header for outgoing ARP packets. It does not
change the hardware address in the ARP packet, see
--arpsha for details on how to change that address.
The default is the Ethernet address of the outgoing
interface.
--destaddr=<m> or -T <m> Send the packets to Ethernet MAC address <m>
This sets the 48-bit destination address in the
Ethernet frame header.
The default is the broadcast address ff:ff:ff:ff:ff:ff.
Most operating systems will also respond if the ARP
request is sent to their MAC address, or to a
multicast address that they are listening on.
The address can be specified either in the format
01:23:45:67:89:ab, or as 01-23-45-67-89-ab. The
alphabetic hex characters may be upper or lower case.
--arpsha=<m> or -u <m> Use <m> as the ARP source Ethernet address
This sets the 48-bit ar$sha field in the ARP packet
It does not change the hardware address in the frame
header, see --srcaddr for details on how to change
that address.
The default is the Ethernet address of the outgoing
interface.
--arptha=<m> or -w <m> Use <m> as the ARP target Ethernet address
This sets the 48-bit ar$tha field in the ARP packet
The default is zero, because this field is not used
for ARP request packets.
--prototype=<p> or -y <p> Set the Ethernet protocol type to <p>, default=0x0806.
This sets the 16-bit protocol type field in the
Ethernet frame header.
Setting this to a non-default value will result in the
packet being ignored by the target, or send to the
wrong protocol stack.
This option is probably not useful, and is only
present for completeness.
--arphrd=<o> or -H <o> Use <o> for the ARP hardware type, default=1.
This sets the 16-bit ar$hrd field in the ARP packet.
The normal value is 1 (ARPHRD_ETHER). Most, but not
all, operating systems will also respond to 6
(ARPHRD_IEEE802). A few systems respond to any value.
--arppro=<o> or -p <o> Use <o> for the ARP protocol type, default=0x0800.
This sets the 16-bit ar$pro field in the ARP packet.
Most operating systems only respond to 0x0800 (IPv4)
but some will respond to other values as well.
--arphln=<l> or -a <l> Set the hardware address length to <l>, default=6.
This sets the 8-bit ar$hln field in the ARP packet.
It sets the claimed length of the hardware address
in the ARP packet. Setting it to any value other than
the default will make the packet non RFC compliant.
Some operating systems may still respond to it though.
Note that the actual lengths of the ar$sha and ar$tha
fields in the ARP packet are not changed by this
option; it only changes the ar$hln field.
--arppln=<l> or -P <l> Set the protocol address length to <l>, default=4.
This sets the 8-bit ar$pln field in the ARP packet.
It sets the claimed length of the protocol address
in the ARP packet. Setting it to any value other than
the default will make the packet non RFC compliant.
Some operating systems may still respond to it though.
Note that the actual lengths of the ar$spa and ar$tpa
fields in the ARP packet are not changed by this
option; it only changes the ar$pln field.
--arpop=<o> or -o <o> Use <o> for the ARP operation, default=1.
This sets the 16-bit ar$op field in the ARP packet.
Most operating systems will only respond to the value 1
(ARPOP_REQUEST). However, some systems will respond
to other values as well.
--arpspa=<s> or -s <s> Use <s> as the source IP address.
The address should be specified in dotted quad format;
or the string "dest", which sets the source address
to be the same as the target host address.
This sets the 32-bit ar$spa field in the ARP packet.
Some operating systems check this, and will only
respond if the source address is within the network
of the receiving interface. Others don't care, and
will respond to any source address.
By default, the outgoing interface address is used.
--padding=<p> or -A <p> Specify padding after packet data.
Set the padding data to hex value <p>. This data is
appended to the end of the ARP packet, after the data.
Most, if not all, operating systems will ignore any
Padding. The default is no padding, although the
Ethernet driver on the sending system may pad the
packet to the minimum Ethernet frame length.
Report bugs or send suggestions to [email protected]
See the arp-scan homepage at http://www.nta-monitor.com/tools/arp-scan/
root@bt :~# arp-scan 59.69.117.1/24
Interface: eth0, datalink type: EN10MB (Ethernet)
WARNING: host part of xx.xx.117.1/24 is non-zero
Starting arp-scan 1.6 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
xx.xx.117.1 00:1a:a9:15:2a:5a FUJIAN STAR-NET COMMUNICATION CO.,LTD
xx.xx.117.4 f0:de:f1:bf:b0:04 (Unknown)
……………………
是个利用 arp 协议扫描 lan 里机器的工具。