Branch: master
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
72 lines (52 sloc) 2.72 KB
arpsweep README
The arpsweep utility is a reimplementation of arping which supports multiple
targets in a single command-line invocation. It can also be used as an ARP
network scanner.
Quick tips:
REQUIRED: libnet-1.1.X and libpcap
INSTALL: ./configure && make
USE: arpsweep -i eth1
arpsweep Q&A
Q: What is ARP?
A: Address Resolution Protocol. Are you sure you are in the right place?
Q: What does an ARP request and reply look like.
A: Included in this distribution are a sample pcap file (arp-example.pcap
and a shell script which prints out that very same data. This will
show an ARP request and an ARP reply. See also README.arpframes.
Q: Why do I need this utility?
A: If you are asking this question, you probably don't.
Q: How do I install the program?
A: Like most other software (./configure && make), for details see INSTALL.
Q: What's an example of how to run the program?
A: arpsweep -i eth0
Q: How else can I run it?
A: See the manpage. (If arpsweep is not yet installed, you should be
able to view the manpage by running this command: "man ./arpsweep.8".)
Q: How fast is arpsweep?
A: Fairly fast in --aggressive mode, although it wasn't designed to be
speedy. On a low-end workstation-class machine, compare the
following stats with a varying inflight packet count (--pending) and
the resulting duration of scan (according to "time"). Each run used
the default count (--count) of packets, 3. (Stats taken with
address range (count) inflight arpsweep run time
----------------------- -------- -------------------------
class C, /24 (256 ** 1) 100 2.08 seconds
class C, /24 (256 ** 1) 1000 0.77 seconds
class B, /16 (256 ** 2) 1000 49.5 seconds
class B, /16 (256 ** 2) 10000 5.5 seconds
class A, /8 (256 ** 3) 10000 2052. seconds (~35 min)
class A, /8 (256 ** 3) 100000 2086. seconds (~35 min)
Performance is surprisingly good, although memory consumption is fairly
high (~900M resident) when scanning an entire class A network.
Q: When I run arpsweep in aggressive mode, some hosts don't reply!
(Really, you could at least have phrased that as a question.)
A: Not all IP stacks are equally robust. I have encountered stacks on
embedded devices which can't handle the flood of broadcast ARP requests
and either refuse to reply or are unable to reply. Although
aggressive mode can allow you to scan networks fairly quickly, you
are trading the speed of the scan against the granularity of recorded
round trip time and the possibility that some hosts may not respond.