Using Arp On Your Network

FAIL (the browser should render some flash content, not this).

Download in .ogv format


Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Quick and Dirty Range Scan

xvalx's picture

I use these commands to perform a quick and dirty subnet scan (assuming it is a subnet of course).

for i in `seq 1 254`; do { arping -f -c 3 -I $ARPINT $ARPNET.$i & }; done | grep Unicast 2>/dev/null

I actually have this as a script where ARPINT and ARPNET are arguments.

How about when wireless AP has IP address in different subnet?

Terrell Prude' Jr.'s picture

Hi Shawn,

I like the premise of your video, and it does help out in a lot of cases. But there's another too-common case in which I'm not sure this'll be quite enough. Say you get a used wireless access point (eBay, a friend, whatever). This wireless AP has, we'll say, an IP address of But the network you're sticking it on is Will "arp -a" help then, or will that workstation just ignore it (not on 'reachable' subnet)?

Assuming we knew the MAC address (not always guaranteed with rogue devices), what we had to do was manually make a static ARP entry in the workstation, which would let us get to the wireless AP / print server / whatever. Then we could get to it and change the IP address to something in our actual subnet, deleting the static ARP entry afterwards. If this sounds like an ugly hack, that's because it is! :-)


Addendum to above post

Terrell Prude' Jr.'s picture

Forgot to mention one thing. You don't know what the IP address of that wireless AP is that you just got. Your buddy or the person you bought it from on eBay doesn't know, either ("umm, worked fine at *my* house, d00d").

Also, for completeness, I should specify that the static ARP entry in the second paragraph is for something on the subnet your network actually uses (in this example,


In windows (please don't

Davil's picture

In windows (please don't flame me) you could just type ipconfig /all and check ur DNS server or default gateway IP (again only if actually using said access point as default gateway). am I missing something here? I thought there would be a quick command in Linux to find what DNS server / Gateway you're using ? no ? I really want to make the move to linux but little things like this bug me... Please let me know if I'm just being dopey here.

How to do this in GNU/Linux or any other UNIX

Terrell Prude' Jr.'s picture

Two commands.

1.) "more /etc/resolv.conf"
2.) "netstat -rn"

The first tells you what your DNS servers are. The second tells you what your default next-hop ("gateway", in MS parlance) is.

As for trying out GNU/Linux, don't let "dopey" things like this stop you. You had to learn MS Windows and the ipconfig command, didn't you? :-) It's the same here, and it's not hard. It didn't take long before I was just doing stuff on Linux as instinctively as I did on DOS and Windows.

I would recommend Ubuntu for you. It's easy to use and popular, there's a large community of support for it, and there are plenty of folks who came from MS Windows. Finally, Ubuntu can run from the CD, so you can "try before you install."


Yes but

Shawn Powers's picture

The access point wasn't the router -- it was a stand alone access point. :)

Shawn Powers is a Linux Journal Associate Editor. You might find him on IRC, Twitter, or training IT pros at CBT Nuggets.

Have not you got the

Anonymous's picture

Have not you got the memo?

arp is obsolete in favor of `ip neigh`.

I had not...

Shawn Powers's picture

Cool command! No, in fact, I didn't know about that.

"arp" is more fun to say though. hehhehehe

Shawn Powers is a Linux Journal Associate Editor. You might find him on IRC, Twitter, or training IT pros at CBT Nuggets.

the problem I often

Geoff Campos's picture

the problem I often encounter is a network device on a different subnet. On devices like ADSL router/modems I get frustrated with instruction manuals referencing a Windows only installation disc while hiding the static IP! Grrr! If a product ships with a static default IP address, it should be printed on the unit!

cool intro

happy subscriber's picture

that is a neat traveling intro on the lawn there shawn! these tech tips are fun, keep them coming :).

What about using arping?

Anonymous's picture

What about using arping?

The way in the video is not

Ornotermes's picture

The way in the video is not completely reliable, the router and the DHCP-server don't have to be the same machine. Instead check the log from dhcp-client.
On Ubuntu the logs is stored in /var/lib/dhcp3/dhclient.leases and it looks like this(it stores most recent information at the beginning of the file and is user readable):

lease {
interface "eth0";
option subnet-mask;
option routers;
option dhcp-lease-time 86400;
option dhcp-message-type 5;
option domain-name-servers;
option dhcp-server-identifier;
option dhcp-renewal-time 43200;
option broadcast-address;
option dhcp-rebinding-time 75600;
option host-name "workstation1";
renew 4 2009/06/25 07:15:59;
rebind 4 2009/06/25 17:31:10;
expire 4 2009/06/25 20:31:10;

If you want only the dhcp servers address you can use this command:
cat /var/lib/dhcp3/dhclient.leases|grep dhcp-server|head -n1


Shawn Powers's picture

The router and dhcp server are both separate from the access point I was trying to find. If the access point has an IP address, generally you can find reference to it in the arp cache. There are ALWAYS exceptions to the rule -- but dhcp wasn't an issue here at all. The access point had a statically assigned IP address, but I didn't know what that address was. :)

Shawn Powers is a Linux Journal Associate Editor. You might find him on IRC, Twitter, or training IT pros at CBT Nuggets.


blak111's picture

This only works if you are using the wireless access point as your default gateway.
The network I'm on has a little over 90 access points and the only thing the arp table will show is the MAC <> IP binding for the router that serves them.

My experience...

Shawn Powers's picture

I actually experienced it differently. The access point in this slightly complex network was (which is what I was trying to discover), but the gateway for the network is In fact, it was when the gateway ended up not being the address I needed that I started joining different access points and looking at my arp table. Thankfully, whichever access point I was bonded to showed up in my arp table.

(It is possible if the access points are in some bridged mode setting that you couldn't get the right address -- but without bridging, this method should actually work)

Shawn Powers is a Linux Journal Associate Editor. You might find him on IRC, Twitter, or training IT pros at CBT Nuggets.