Releases: royhills/arp-scan
1.10.0
arp-scan 1.10.0 release notes
Introduction
arp-scan 1.10.0 is a major release that should be fully backwards compatible with arp-scan release 1.9 and 1.9.* git tags.
Thanks to everyone who reported bugs, suggested new features, and sent pull requests over the years. The github community has been the source of the new features and bugfixes in the 1.9.* tagged versions and this 1.10.0 release. So thanks to everyone who created issues and opened pull requests.
This release has been well tested, but some bugs will inevitably remain. If manage to find a bug, please open a github issue.
If you don't have the autotools (autoconf
and automake
) installed, please download the arp-scan-1.10.0.tar.gz
tarball. This contains a ./configure
file and the auxilliary files that would normally need autoreconf --install
to generate.
Supported Systems
arp-scan version 1.10.0 has been tested on:
- Linux: Tested on debian, ubuntu, alpine. Should work on any Linux distro with any architecture.
- BSD: Tested on FreeBSD, NetBSD, OpenBSD, DragonflyBSD, macOS. Should work on any BSD based system.
- Solaris: Solaris 10. Should work on any DLPI system in theory, but these are rare beasts now.
Please open a github issue if you would like arp-scan to support an operating system that is not listed.
Things to Note for version 1.10.0
- MAC/Vendor mapping file changes
ieee-oui.txt
now holds data for all IEEE registries: MA-L (OUI), MA-M, MA-S (OUI36) and IAB.- The
get-oui
script now obtains data from all the IEEE registries and concatenates them to formieee-oui.txt
. It can easily be edited to use data from the Debianieee-data
package if you are on a Debian based system. This script now requires the Perl moduleText::CSV
. Sorry for adding another dependency. - The
get-iab
script has been removed (replaced with a stub script that prints a message saying it's depreciated, which maintainers may want to omit from their packages) and the--iabfile
option has been removed fromarp-scan
. mac-vendor.txt
file now allows regular MAC addresses e.g.00:0c:29:b9:43:1b
, and is installed to$(sysconfdir)/$(PACKAGE)
e.g. /usr/local/etc/arp-scan. Package maintainers should allow user changes to this file to be preserved on upgrade if that's possible with the distro - upstream changes should be very infrequent in the future.
- arp-scan is POSIX.1e capabilities aware on Linux with
libcap
arp-scan
will build with capabilities support iflibcap
header and library are installed (e.g.libcap-dev
on Debian).configure
option--with-libcap
, defaults to auto.- If built with capabilities support the executable will depend on the
libcap
shared library (e.g.libcap.so.2
).arp-scan --version
will reportBuilt with libcap POSIX.1e capability support
if support is included. make install
will installsetcap cap_net_raw+p
if thesetcap
command is available (e.g.libcap2-bin
on Debian) and works, otherwise it will fallback to SUID. If you want to change this behaviour, comment out or edit theinstall-exec-hook
inMakefile.am
.- See
NEWS.md
file for more details of POSIX.1e capabilities support.
- Lots of new features, bugs squashed and corner cases fixed - See
NEWS.md
for details
Main Changes since arp-scan 1.9
This section lists the main changes between arp-scan version 1.9 and 1.10.0. More details are available in the NEWS.md
and ChangeLog
files.
2022-12-10 arp-scan 1.10.0 (git tag 1.10.0)
-
New Features
- POSIX.1e capabilities support for Linux systems with libcap
- New
--format
option allows flexible output format ieee-oui.txt
now holds data for all IEEE registries: MA-L (OUI), MA-M, MA-S (OUI36) and IAB.
-
General improvements
- Reformatted and updated man pages and
--help
output.
- Reformatted and updated man pages and
2022-10-08 arp-scan 1.9.8 (git tag 1.9.8)
-
New Features:
- Allow the use of Linux IP aliases such as
eth0:0
for the interface name. - Permit regular MAC addresses e.g.
00:0c:29:b9:43:1b
inmac-vendor.txt
. --limit=n
option exits after n of hosts have responded, exit 1 for <n--resolve
option to resolve responding IP addresses to hostnames
- Allow the use of Linux IP aliases such as
-
Fixed bugs:
- Potential buffer overrun in
unmarshal_arp_pkt()
. - arp-scan aborts with
EAGAIN
on busy network or using high bandwidth - late ARP responses could sometimes be incorrectly flagged as duplicate
- Potential buffer overrun in
-
General improvements:
- Updated IEEE URLs in download perl scripts.
- Updated source for Mersenne RNG and replacement strlcat/strlcpy & getopt.
- Updated for compatability with autoconf 2.71
make distcheck
works now- Number of responding hosts reported no longer counts duplicate packets.
- Several edge cases fixed.
-
Misc Changes:
- CI framework migrated from travis-ci to github actions.
- Several new tests for
make check
2019-11-10 arp-scan 1.9.7
- Improved error messages from libpcap functions.
- Remove obsolescent and unused autoconf macros. Assume the C compiler is ANSI C (C89) compliant.
2019-10-13 arp-scan 1.9.6
- Use libpcap function
pcap_set_immediate_mode()
instead of ioctl calls to ensure packets are delivered immediately. - Fix compiler warnings caused by the depreciated function
pcap_lookupdev()
in libpcap 1.9.0 and later.
2016-09-03 arp-scan 1.9.5
-
Use posix hash table functions
hcreate()
,hsearch()
andhdestroy()
instead of the gas hash table code. Thanks to nihilus for the suggestion. -
Remove function replacement for
inet_aton()
, as this was only required for Solaris 8, which is now considered obsolete. -
Added
-l
option to arp-fingerprint to support fingerprinting all hosts on the local network. Thanks to Rhig for the pull request. -
Use the
source_mac
rather thaninterface_mac
in the pcap filter, to permit reception of packets with spoofed MAC source address. Thanks to tissieres for the pull request. -
Use the libpcap 1.0 API functions
pcap_create()
instead ofpcap_open_live()
.
2013-11-24 arp-scan 1.9.2
-
Added new
--plain
(-x)
option to suppress printing of header and footer text, and only display one output line for each responding host. Idea from Stefan Tomanek's arp-scan fork on github at https://github.com/wertarbyte/arp-scan. -
Use
LWP::UserAgent
instead ofLWP::Simple
in get-oui and get-iab to enable the raw content to be obtained, which avoids Unicode/UTF-8 issues. -
Moved arp-scan development from internal SVN repository to github at https://github.com/royhills/arp-scan.
arp-scan 1.9
- Updated IEEE OUI and IAB MAC/Vendor files. There are now 18157 OUI entries and 4414 IAB entries.
- Use autoconf 2.69 and automake 1.11 to add support for ARM 64-bit CPUs.
- Use libpcap functions to obtain the interace IP address and send the ARP packet, instead of using our own link-layer specific functions. The only link-layer specific function that we still need is get_hardware_address() to obtain the interface MAC address. This means we now require libpcap 0.9.3 or later.
- Added support for Dragonfly BSD.
- The -u option to get-iab and get-oui scripts now works.
- get-oui and get-iab scripts now get the OUI and IAB files from the new locations on the IEEE website, and allow whitespace at the beginning of the line.
- If the MAC/Vendor file locations are not explicitly specified, look for them in the current directory and then in their default location.
- Raised default timeout from 100ms to 500ms.
- Added new --rtt (-D) option to display the packet round-trip time.
- Include <net/bpf.h> header file early in link-bpf.c to avoid BPF symbol problems on some BSD based operating systems.
- Added arp-fingerprint patterns for GNU/Hurd, Amazon Kindle (Linux 2.6), BeOS, Windows 8, Recent Linux, FreeBSD, NetBSD and OpenBSD versions, and RiscOS.
- Added data file "pkt-custom-request-vlan-llc.dat" to the tarball to allow the ARP request packet generation self test to complete successfully.
- Various minor bug fixes and improvements.
arp-scan 1.8
- Updated IEEE OUI and IAB MAC/Vendor files. There are now 14707 OUI entries and 3542 IAB entries.
- Added support for trailer ARP replies, which were used in early versions of BSD Unix on VAX.
- Added support for ARP packets with both 802.1Q VLAN tag and LLC/SNAP framing.
- The full help output is only displayed if specifically requested with arp-scan --help. Usage errors now result in smaller help output.
- Added support for Apple Mac OS X with Xcode 2.5 and later. This allows arp-scan to build on Tiger, Leopard and Snow Leopard.
- Changed license from GPLv2 to GPLv3.
- Added warning about possible DoS when setting ar$spa to the destination IP address to the help output and man page.
- Added arp-fingerprint patterns for 2.11BSD, NetBSD 4.0, FreeBSD 7.0, Vista SP1, Windows 7 and Blackberry OS.
- Enabled compiler security options -fstack-protect, -D_FORTIFY_SOURCE=2 and -Wformat-security if they are supported by the compiler. Also enabled extra warnings -Wwrite-strings and -Wextra.
- Added new "make check" tests to check packet generation, and packet decoding and display.
- Modified get-oui and get-iab perl scripts so they will work on systems where the perl interpreter is not in /usr/bin, e.g. NetBSD.
- Various minor bug fixes and improvements.
arp-scan 1.7
- new --pcapsavefile (-W) option to save the ARP response packets to a pcap savefile for later analysis with tcpdump, wireshark or another program that supports the pcap file format.
- new --vlan (-Q) option to create outgoing ARP packets with an 802.1Q VLAN tag ARP responses with a VLAN tag are interpreted and displayed.
- New --llc (-L) option to create outgoing ARP packets with RFC 1042 LLC/SNAP framing. Received ARP packets are decoded and displayed with either LLC/SNAP or the default Ethernet-II framing irrespective of this option.
- Avoid double unmarshalling of packet data: once in callback, then again in display_packet().
- New arp-fingerprint patterns for ARP fingerprinting: Cisco 79xx IP Phone SIP 5.x, 6.x and 7.x; Cisco 79xx IP Phone SIP 8.x.
- Updated IEEE OUI and IAB MAC/Vendor files. There are now 11,697 OUI entries and 2,386 IAB entries.
arp-scan 1.6
- arp-scan wiki at http://www.nta-monitor.com/wiki/ This contains detailed documentation on arp-scan, and is intended to be the primary documentation resource.
- Added support for Sun Solaris. Tested on Solaris 9 (SPARC). arp-scan may also work on other systems that use DLPI, but only Solaris has been tested.
- New arp-fingerprint patterns for ARP fingerprinting: IOS 11.2, 11.3 and 12.4; ScreenOS 5.1, 5.2, 5.3 and 5.4; Cisco VPN Concentrator 4.7; AIX 4.3 and 5.3; Nortel Contivity 6.00 and 6.05; Cisco PIX 5.1, 5.2, 5.3, 6.0, 6.1, 6.2, 6.3 and 7.0.
- Updated IEEE OUI and IAB MAC/Vendor files. There are now 10,214 OUI entries and 1,858 IAB entries.
- Added HSRP MAC address to mac-vendor.txt.
arp-scan 1.5
- Reduced memory usage from 44 bytes per target to 28 bytes. This reduces the memory usage for a Class-B network from 2.75MB to 1.75MB, and a Class-A network from 704MB to 448MB.
- Reduced the startup time for large target ranges. This reduces the startup time for a Class-A network from 80 seconds to 15 seconds on a Compaq laptop with 1.4GHz CPU.
- Added support for FreeBSD, OpenBSD, NetBSD and MacOS X (Darwin). arp-scan will probably also work on other operating systems that implement BPF, but only those listed have been tested.
- Improved operation of the --srcaddr option. Now this will change the source hardware address in the Ethernet header without changing the interface address.
- Additional fingerprints for arp-fingerprint.
- Improved manual pages.
- Updated IEEE OUI and IAB files. There are now 9,426 OUI entries and 1,568 IAB entries.
arp-scan 1.4
- Added IEEE IAB listings and associated get-iab update script and --iabfile option.
- Added manual MAC/Vendor mapping file: mac-vendor.txt and associated --macfile option.
- New --localnet option to scan all IP addresses on the specified interface network and mask.