Skip to content


Repository files navigation

arpsweep README
The arpsweep utility is a reimplementation of arping which supports multiple
targets in a single command-line invocation.  It can also be used as an ARP
network scanner.

Quick tips:

REQUIRED:  libnet-1.1.X and libpcap
INSTALL:  ./configure && make
USE: arpsweep -i eth1

arpsweep Q&A

Q: What is ARP?
A: Address Resolution Protocol.  Are you sure you are in the right place?

Q: What does an ARP request and reply look like.
A: Included in this distribution are a sample pcap file (arp-example.pcap
   and a shell script which prints out that very same data.  This will
   show an ARP request and an ARP reply.  See also README.arpframes.

Q: Why do I need this utility?
A: If you are asking this question, you probably don't.

Q: How do I install the program?
A: Like most other software (./configure && make), for details see INSTALL.

Q: What's an example of how to run the program?
A: arpsweep -i eth0

Q: How else can I run it?
A: See the manpage.  (If arpsweep is not yet installed, you should be
   able to view the manpage by running this command: "man ./arpsweep.8".)

Q: How fast is arpsweep?
A: Fairly fast in --aggressive mode, although it wasn't designed to be
   speedy.  On a low-end workstation-class machine, compare the
   following stats with a varying inflight packet count (--pending) and
   the resulting duration of scan (according to "time").  Each run used
   the default count (--count) of packets, 3.  (Stats taken with

     address range (count)    inflight  arpsweep run time
     -----------------------  --------  -------------------------
     class C, /24 (256 ** 1)      100      2.08 seconds 
     class C, /24 (256 ** 1)     1000      0.77 seconds 

     class B, /16 (256 ** 2)     1000     49.5  seconds 
     class B, /16 (256 ** 2)    10000      5.5  seconds

     class A,  /8 (256 ** 3)    10000   2052.   seconds (~35 min)
     class A,  /8 (256 ** 3)   100000   2086.   seconds (~35 min)

   Performance is surprisingly good, although memory consumption is fairly
   high (~900M resident) when scanning an entire class A network.

Q: When I run arpsweep in aggressive mode, some hosts don't reply!
   (Really, you could at least have phrased that as a question.)
A: Not all IP stacks are equally robust.  I have encountered stacks on 
   embedded devices which can't handle the flood of broadcast ARP requests
   and either refuse to reply or are unable to reply.  Although
   aggressive mode can allow you to scan networks fairly quickly, you
   are trading the speed of the scan against the granularity of recorded
   round trip time and the possibility that some hosts may not respond.


arpsweep: an ARP scanner







No releases published


No packages published