4

I am developing system for detecting network actual state. One part is to get all IPs and their respective MAC addresses. Right now I am using arping in DAD (Duplicate Address Discovery) mode. I send arping for every possible IP in the ranges that we use. If the host is up it responds and I get its MAC. If the host is down arping timeouts. The DAD mode is great because I do not need to have local IP address from every range we use. On the other hand arping can process only one target so it take a long time waiting for the unused IPs to timeout (in most ranges there is like 90% addresses unused).

I tried nmap, it has nice arping mode that can check the whole /24 range in 2 seconds. Unfortunatelly I was not able to find how to force it to use the DAD mode and it fails on ranges that the local machine does not have IP in.

So my question is: is it possible to switch nmap into DAD mode or is there any other tool that can send (and receive) DAD ARP pings in parallel? Other options are like try to hack nmap to use DAD or write own tool (probably based on arping's code). Or I could run the arpings in parallel but I am kinda afraid of spawning 1000 processes.

Nils Toedtmann
  • 3,202
  • 5
  • 25
  • 36
Radek Hladík
  • 600
  • 1
  • 3
  • 14
  • 1
    4 years later, this question is still relevant. Looks like nmap still does not support ARP scan in DAD mode :( Or does it? – Nils Toedtmann Jul 27 '16 at 13:19

1 Answers1

3

It seems that arp-scan (i.e. http://www.nta-monitor.com/wiki/index.php/Arp-scan_User_Guide ) is the exact tool that I want. I need to study it more deeply but on the first sight it seems it does exactly what I want...

Radek Hladík
  • 600
  • 1
  • 3
  • 14
  • This is the correct answer! I suggest you update it. Here is an example: `arp-scan --arpspa 0.0.0.0 --interface=eth2 192.168.0.0/16` – Nils Toedtmann Jul 27 '16 at 13:40