Nmap Host Discovery using ARP
ARP scan is possible only if you are on the same subnet as the target systems.
On an Ethernet (802.3) and WiFi (802.11), you need to know the MAC address of any system before you can communicate with it.
The MAC address is necessary for the link-layer header; the header contains the source MAC address and the destination MAC address among other fields.
To get the MAC address, the OS sends an ARP query. A host that replies to ARP queries is up. You should expect to see many ARP queries generated during a Nmap scan of a local network.
If you want Nmap only to perform an ARP scan without port-scanning, you can use nmap -PR -sn TARGETS, where -PR indicates that you only want an ARP scan.
The following example shows Nmap using ARP for host discovery without any port scanning to discover all the live systems on the same subnet as our target machine.
| |
Nmap sends ARP requests to all the target computers, and those online should send an ARP reply back.
If we look at the packets generated using a tool such as tcpdump or Wireshark, we will see network traffic similar to this:
Wireshark displays:
- the source MAC address
- destination MAC address
- the broadcast address, as we don’t know the MAC address of the target yet
- we can see the IP address though
- the broadcast address, as we don’t know the MAC address of the target yet
- protocol
- query related to each ARP request.
We can see that we are requesting the MAC addresses of all the IP addresses on the subnet, starting with 10.10.210.1. The host with the IP address we are asking about will send an ARP reply with its MAC address, and that’s how we will know that it is online.