arp-scanコマンドのインストール方法と利用方法

#1. arp-scanとは
同一Network内で使用されているIP/MACアドレスの一覧を取得するコマンド。
MACアドレスは48ビット長（6オクテット）から成るアドレス情報だが、上位3オクテットがOUI（Organizationally Unique Identifier）と呼ばれるベンダー固有の識別子IDを示している。arp-scanコマンドは、いちいちベンダーコード一覧から別途検索しなくともベンダー名まで出力してくれるので便利。

#2. arp-scanコマンドのインストール方法

install

[root@osc01 ~]# cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)

[root@osc01 ~]# yum install -y git automake autoconf libpcap-devel gcc

[root@osc01 ~]# git clone https://github.com/royhills/arp-scan.git

[root@osc01 ~]# cd arp-scan/

[root@osc01 arp-scan]# ls
acinclude.m4       ChangeLog        error.c    get-oui.1             mac-vendor.txt                  pkt-custom-request-vlan.dat      pkt-trailer-response.pcap   strlcpy.c
arp-fingerprint    check-decode     get-iab    ieee-iab.txt          Makefile.am                     pkt-custom-request-vlan-llc.dat  pkt-vlan-llc-response.pcap  TODO
arp-fingerprint.1  check-host-list  get-iab.1  ieee-oui.txt          mt19937ar.c                     pkt-llc-response.pcap            pkt-vlan-response.pcap      utils.c
arp-scan.1         check-packet     getopt1.c  link-bpf.c            NEWS                            pkt-net1921681-response.pcap     pre-release-testing.txt     wrappers.c
arp-scan.c         check-run1       getopt.c   link-dlpi.c           pkt-custom-request.dat          pkt-padding-response.pcap        README
arp-scan.h         configure.ac     getopt.h   link-packet-socket.c  pkt-custom-request-llc.dat      pkt-simple-request.dat           README.md
AUTHORS            COPYING          get-oui    mac-vendor.5          pkt-custom-request-padding.dat  pkt-simple-response.pcap         strlcat.c

[root@osc01 arp-scan]# autoreconf --install
[root@osc01 arp-scan]# ./configure

[root@osc01 arp-scan]# make

[root@osc01 arp-scan]# make check
make  check-run1 check-packet check-decode check-host-list
make[1]: Entering directory `/root/arp-scan'
make[1]: Nothing to be done for `check-run1'.
make[1]: Nothing to be done for `check-packet'.
make[1]: Nothing to be done for `check-decode'.
make[1]: Nothing to be done for `check-host-list'.
make[1]: Leaving directory `/root/arp-scan'
make  check-TESTS
make[1]: Entering directory `/root/arp-scan'
make[2]: Entering directory `/root/arp-scan'
PASS: check-run1
PASS: check-packet
PASS: check-decode
PASS: check-host-list
make[3]: Entering directory `/root/arp-scan'
make  all-am
make[4]: Entering directory `/root/arp-scan'
make[4]: Leaving directory `/root/arp-scan'
make[3]: Leaving directory `/root/arp-scan'
============================================================================
Testsuite summary for arp-scan 1.9.5
============================================================================
# TOTAL: 4
# PASS:  4
# SKIP:  0
# XFAIL: 0
# FAIL:  0
# XPASS: 0
# ERROR: 0
============================================================================
make[2]: Leaving directory `/root/arp-scan'
make[1]: Leaving directory `/root/arp-scan'

[root@osc01 arp-scan]# make install
make[1]: Entering directory `/root/arp-scan'
 /usr/bin/mkdir -p '/usr/local/bin'
  /usr/bin/install -c arp-scan '/usr/local/bin'
 /usr/bin/mkdir -p '/usr/local/bin'
 /usr/bin/install -c get-oui get-iab arp-fingerprint '/usr/local/bin'
 /usr/bin/mkdir -p '/usr/local/share/arp-scan'
 /usr/bin/install -c -m 644 ieee-oui.txt ieee-iab.txt mac-vendor.txt '/usr/local/share/arp-scan'
 /usr/bin/mkdir -p '/usr/local/share/man/man1'
 /usr/bin/install -c -m 644 arp-scan.1 get-oui.1 get-iab.1 arp-fingerprint.1 '/usr/local/share/man/man1'
 /usr/bin/mkdir -p '/usr/local/share/man/man5'
 /usr/bin/install -c -m 644 mac-vendor.5 '/usr/local/share/man/man5'
make[1]: Leaving directory `/root/arp-scan'

#3. arp-scanコマンドの利用方法

-Iでインターフェースを指定して検索対象のインターフェースを指定する。デフォルトでは、loopbackインターフェース以外の起動済インターフェースで最も番号が小さいもの（例えばeth0/eth1/eth2ならばeth0）が利用される（どのインターフェースに対して検索しているのか曖昧になるのを避けるために、明示的に指定する方が良いと思われる）。

使い方1

[root@osc01 arp-scan]# arp-scan -I eth0 10.132.75.0/24 
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9.5 with 256 hosts (https://github.com/royhills/arp-scan)
10.132.75.65    00:00:0c:9f:f0:01       Cisco Systems, Inc
10.132.75.66    e4:c7:22:61:7a:41       Cisco Systems, Inc
10.132.75.67    e4:c7:22:63:c2:c1       Cisco Systems, Inc
（途中略）

12 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.5: 256 hosts scanned in 1.958 seconds (130.75 hosts/sec). 12 responded

-lを使えば、network interfaceの持つIP addressとsubnet mask情報を使って検索対象のネットワークを自動的に生成してくれるので、network addressやsubnet maskの指定をしなくても良い。

使い方2

[root@osc01 arp-scan]# arp-scan -I eth1 -l 
Interface: eth1, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9.5 with 32 hosts (https://github.com/royhills/arp-scan)
161.202.86.1    00:00:0c:9f:f0:01       Cisco Systems, Inc
161.202.86.4    06:cd:a1:96:1a:d9       (Unknown)
161.202.86.2    e4:c7:22:63:c1:c1       Cisco Systems, Inc
161.202.86.3    e4:c7:22:61:83:41       Cisco Systems, Inc
（途中略）

9 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.5: 32 hosts scanned in 1.525 seconds (20.98 hosts/sec). 9 responded

-v -v -vと重ねると、詳細なdebug情報が出力される。

使い方3

[root@osc01 arp-scan]# arp-scan -v -v -v -I eth0 10.132.75.65/29
Interface: eth0, datalink type: EN10MB (Ethernet)
DEBUG: pcap filter string: "ether dst 06:09:40:ca:64:fd and (arp or (ether[14:4]=0xaaaa0300 and ether[20:2]=0x0806) or (ether[12:2]=0x8100 and ether[16:2]=0x0806) or (ether[12:2]=0x8100 and ether[18:4]=0xaaaa0300 and ether[24:2]=0x0806))"
DEBUG: Loaded 22487 IEEE OUI/Vendor entries from ieee-oui.txt.
DEBUG: Loaded 4575 IEEE IAB/Vendor entries from ieee-iab.txt.
DEBUG: Loaded 6 MAC/Vendor entries from mac-vendor.txt.
WARNING: host part of 10.132.75.65/29 is non-zero
DEBUG: pkt len=64 bytes, bandwidth=256000 bps, interval=2000 us
Starting arp-scan 1.9.5 with 8 hosts (https://github.com/royhills/arp-scan)
Host List:

Entry   IP Address
1       10.132.75.64
2       10.132.75.65
3       10.132.75.66
4       10.132.75.67
5       10.132.75.68
6       10.132.75.69
7       10.132.75.70
8       10.132.75.71

Total of 8 host entries.

---     Sending packet #1 to host 10.132.75.64 tmo 500000
---     Sending packet #1 to host 10.132.75.65 tmo 500000
---     Sending packet #1 to host 10.132.75.66 tmo 500000
---     Sending packet #1 to host 10.132.75.67 tmo 500000
---     Received packet #1 from 10.132.75.65
10.132.75.65    00:00:0c:9f:f0:01       Cisco Systems, Inc
---     Removing host 10.132.75.65 - Received 60 bytes
---     Sending packet #1 to host 10.132.75.68 tmo 500000
---     Received packet #1 from 10.132.75.66
10.132.75.66    e4:c7:22:61:7a:41       Cisco Systems, Inc
---     Removing host 10.132.75.66 - Received 60 bytes
---     Sending packet #1 to host 10.132.75.69 tmo 500000
---     Received packet #1 from 10.132.75.67
10.132.75.67    e4:c7:22:63:c2:c1       Cisco Systems, Inc
---     Removing host 10.132.75.67 - Received 60 bytes
---     Sending packet #1 to host 10.132.75.70 tmo 500000
---     Sending packet #1 to host 10.132.75.71 tmo 500000
---     Pass 1 complete
---     Sending packet #2 to host 10.132.75.64 tmo 750000
---     Sending packet #2 to host 10.132.75.68 tmo 750000
---     Sending packet #2 to host 10.132.75.69 tmo 750000
---     Sending packet #2 to host 10.132.75.70 tmo 750000
---     Sending packet #2 to host 10.132.75.71 tmo 750000
---     Pass 2 complete
---     Removing host 10.132.75.64 - Timeout
---     Removing host 10.132.75.68 - Timeout
---     Removing host 10.132.75.69 - Timeout
---     Removing host 10.132.75.70 - Timeout
---     Removing host 10.132.75.71 - Timeout

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.5: 8 hosts scanned in 1.466 seconds (5.46 hosts/sec). 3 responded