Nping and Nmap arp scan

Chưa phân loại

Introduction to Nmap ARP scan

ARP (Address Resolution Protocol) is a low level protocol working at Link layer level of the Internet Model or Internet protocol suite which was explained at the Nmap Basics introduction. There are other 3 upper layers: the Internet layer, the Transport layer and the Application layer.

Note: some experts describe the Internet Model with 5 layers including the physical layer while other experts claim the Physical Layer doesn’t belong to the Internet Model, this Physical Layer is irrelevant to us for Nmap.

The Link Layer is a protocol used in IPv4 local networks to discover online hosts, it can’t isn’t used on the internet and is limited to local devices, it is either used in IPv6 networks  in which the NDP (Neighbor Discovery) protocol replaces the ARP Protocol.

When using Nmap on a local network ARP protocol is applied by default for being faster and more reliable according to the official data , you can use the flag –send-ip to force Nmap to use the Internet Protocol within a local network, you can prevent Nmap from sending ARP ping by using the option –disable-arp-ping too.

Nping ARP scan types

Former Nmap versions came with a variety of options to carry out ARP scans, currently Nmap doesn’t support these flags which are now usable through the tool Nping included in Nmap, if you have Nmap installed you already have this tool.

Nping allows to generate packet under many protocols, as it official website describes it can also be used for ARP poisoning, Denial of Service and more. Its website lists the following features:

  • Custom TCP, UDP, ICMP and ARP packet generation.
  • Support for multiple target host specification.
  • Support for multiple target port specification.
  • Unprivileged modes for non-root users.
  • Echo mode for advanced troubleshooting and discovery.
  • Support for Ethernet frame generation.
  • Support for IPv6 (currently experimental).
  • Runs on Linux, Mac OS and MS Windows.
  • Route tracing capabilities.
  • Highly customizable.
  • Free and open-source.


Relevant protocols for this tutorial:

ARP: a regular ARP packet request looks for the MAC address using the device’s IP address. (

RARP:  a RARP (Reverse ARP) request resolves the IP address by using the MAC address, this protocol is obsolete. (

DRARP: a DRARP (Dynamic RARP) protocol, or protocol extension developed to assign dynamic IP address based on the physical address of a device, it can be used to obtain the IP address too. (

InARP: an InARP (Inverse ARP) request resolves the DLCI (Data Link Connection Identifier) address which is similar to a MAC address. (

Basic examples of ARP, DRARP and InARP packets:

The following example sends an ARP request to learn the router MAC address:

nping –arp-type ARP

As you can see the –arp-type ARP flag returned the target’s MAC address 00:00:CA:11:22:33

The following example will print information on the protocol, physical and IP addresses of interacting devices:

nping –arp-type InARP

HTYPE: Hardware Type.
PTYPE: Protocol Type.
HLEN: Hardware Address Length. (6 bits for MAC address)
PLEN: Protocol Address Length. (4 bits for IPv4)
SIP: Source IP Address.
SMAC: Source Mac Address.
DMAC: Destination Mac Address.
DIP: Destination IP Address.

The following example returns the same output:

nping –arp-type DRARP

Nmap ARP discovery

The following example using nmap is an ARP ping scan omitting  against all possibilities of the last octet, by using the wildcard (*), you can also set ranges separated by hyphens.

nmap -sP -PR 192.168.0.*

-sP: Ping scans the network, listing machines that respond to ping.
-PR: ARP discovery

The following example is an ARP scan against all possibilities of the last octet including port scan.

nmap -PR 192.168.0.*

The following example shows an ARP scan against all possibilities of the last octet

nmap -sn -PR 192.168.0.*

The following scan forces and ip scan over an arp scan, again the last octet using the wildcard.

nmap -sn –send-ip 192.168.0.*

As you can see while the scan made before took 6 seconds it took 23.

A similar output and timing happen if you disable the ARP protocol by adding the –disable-arp-ping flag:

nmap -sn –disable-arp-ping 192.168.0.*


Nmap and Nping ARP scans are ok to discover hosts, while according to the official documentation the programs may be useful for DoS, ARP Poisoning and other attack techniques my tests didn’t work, there are better tools focused on the ARP protocol like ARP spoofing, Ettercap,or arp-scan which deserve more attention regarding this aspect. Yet when using Nmap or Nping, the ARP protocol adds the scan process the trustability of tagging packets as local network traffic for which routers or firewalls show more patience than for external traffic, of course this won’t help if you flood the network with packets. ARP modes and types are not longer useful under Nmap but all documentation is still useful if applied to Nping.

I hope you found this introduction to Nmap and Nping ARP scan useful. Keep following LinuxHint for more tips and updates on Linux and networking.

Sandclock IDC thành lập vào năm 2012, là công ty chuyên nghiệp tại Việt Nam trong lĩnh vực cung cấp dịch vụ Hosting, VPS, máy chủ vật lý, dịch vụ Firewall Anti DDoS, SSL… Với 10 năm xây dựng và phát triển, ứng dụng nhiều công nghệ hiện đại, Sandclock IDC đã giúp hàng ngàn khách hàng tin tưởng lựa chọn, mang lại sự ổn định tuyệt đối cho website của khách hàng để thúc đẩy việc kinh doanh đạt được hiệu quả và thành công.
Bài viết liên quan

How to Install TeamViewer on Ubuntu

Many software applications are available to access computers remotely on Linux operating system. TeamViewer is one of the...

Install VirtualBox on Arch Linux

Oracle’s free Virtualization solution, VirtualBox is a very popular Virtualization platform. People all over the world...

vsftpd – How to chroot FTP Users to Their Home Directories

chroot is a very important security feature of FTP servers. When you log in to a FTP server, you don’t want users to...
Bài Viết

Bài Viết Mới Cập Nhật

Hướng dẫn chuyển đổi windows server windows evaluation to standard và active windows server 2008 + 2012 + 2016 + 2019

How to Update Ubuntu Linux

Squid Proxy Manager cài đặt và quản lý Proxy Squid tự động trên ubuntu

Hướng dẫn cài đặt Apache CloudStack

Hướng dẫn ký file PDF bằng chữ ký số (chữ ký điện tử) và sửa lỗi mới nhất 2021 foxit reader