30
28

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 5 years have passed since last update.

arp-scanコマンドのインストール方法と利用方法

Last updated at Posted at 2017-02-12

#1. arp-scanとは
同一Network内で使用されているIP/MACアドレスの一覧を取得するコマンド。
MACアドレスは48ビット長(6オクテット)から成るアドレス情報だが、上位3オクテットがOUI(Organizationally Unique Identifier)と呼ばれるベンダー固有の識別子IDを示している。arp-scanコマンドは、いちいちベンダーコード一覧から別途検索しなくともベンダー名まで出力してくれるので便利。

#2. arp-scanコマンドのインストール方法

install
[root@osc01 ~]# cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)

[root@osc01 ~]# yum install -y git automake autoconf libpcap-devel gcc

[root@osc01 ~]# git clone https://github.com/royhills/arp-scan.git

[root@osc01 ~]# cd arp-scan/

[root@osc01 arp-scan]# ls
acinclude.m4       ChangeLog        error.c    get-oui.1             mac-vendor.txt                  pkt-custom-request-vlan.dat      pkt-trailer-response.pcap   strlcpy.c
arp-fingerprint    check-decode     get-iab    ieee-iab.txt          Makefile.am                     pkt-custom-request-vlan-llc.dat  pkt-vlan-llc-response.pcap  TODO
arp-fingerprint.1  check-host-list  get-iab.1  ieee-oui.txt          mt19937ar.c                     pkt-llc-response.pcap            pkt-vlan-response.pcap      utils.c
arp-scan.1         check-packet     getopt1.c  link-bpf.c            NEWS                            pkt-net1921681-response.pcap     pre-release-testing.txt     wrappers.c
arp-scan.c         check-run1       getopt.c   link-dlpi.c           pkt-custom-request.dat          pkt-padding-response.pcap        README
arp-scan.h         configure.ac     getopt.h   link-packet-socket.c  pkt-custom-request-llc.dat      pkt-simple-request.dat           README.md
AUTHORS            COPYING          get-oui    mac-vendor.5          pkt-custom-request-padding.dat  pkt-simple-response.pcap         strlcat.c

[root@osc01 arp-scan]# autoreconf --install
[root@osc01 arp-scan]# ./configure

[root@osc01 arp-scan]# make

[root@osc01 arp-scan]# make check
make  check-run1 check-packet check-decode check-host-list
make[1]: Entering directory `/root/arp-scan'
make[1]: Nothing to be done for `check-run1'.
make[1]: Nothing to be done for `check-packet'.
make[1]: Nothing to be done for `check-decode'.
make[1]: Nothing to be done for `check-host-list'.
make[1]: Leaving directory `/root/arp-scan'
make  check-TESTS
make[1]: Entering directory `/root/arp-scan'
make[2]: Entering directory `/root/arp-scan'
PASS: check-run1
PASS: check-packet
PASS: check-decode
PASS: check-host-list
make[3]: Entering directory `/root/arp-scan'
make  all-am
make[4]: Entering directory `/root/arp-scan'
make[4]: Leaving directory `/root/arp-scan'
make[3]: Leaving directory `/root/arp-scan'
============================================================================
Testsuite summary for arp-scan 1.9.5
============================================================================
# TOTAL: 4
# PASS:  4
# SKIP:  0
# XFAIL: 0
# FAIL:  0
# XPASS: 0
# ERROR: 0
============================================================================
make[2]: Leaving directory `/root/arp-scan'
make[1]: Leaving directory `/root/arp-scan'

[root@osc01 arp-scan]# make install
make[1]: Entering directory `/root/arp-scan'
 /usr/bin/mkdir -p '/usr/local/bin'
  /usr/bin/install -c arp-scan '/usr/local/bin'
 /usr/bin/mkdir -p '/usr/local/bin'
 /usr/bin/install -c get-oui get-iab arp-fingerprint '/usr/local/bin'
 /usr/bin/mkdir -p '/usr/local/share/arp-scan'
 /usr/bin/install -c -m 644 ieee-oui.txt ieee-iab.txt mac-vendor.txt '/usr/local/share/arp-scan'
 /usr/bin/mkdir -p '/usr/local/share/man/man1'
 /usr/bin/install -c -m 644 arp-scan.1 get-oui.1 get-iab.1 arp-fingerprint.1 '/usr/local/share/man/man1'
 /usr/bin/mkdir -p '/usr/local/share/man/man5'
 /usr/bin/install -c -m 644 mac-vendor.5 '/usr/local/share/man/man5'
make[1]: Leaving directory `/root/arp-scan'

#3. arp-scanコマンドの利用方法

-Iでインターフェースを指定して検索対象のインターフェースを指定する。デフォルトでは、loopbackインターフェース以外の起動済インターフェースで最も番号が小さいもの(例えばeth0/eth1/eth2ならばeth0)が利用される(どのインターフェースに対して検索しているのか曖昧になるのを避けるために、明示的に指定する方が良いと思われる)。

使い方1
[root@osc01 arp-scan]# arp-scan -I eth0 10.132.75.0/24 
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9.5 with 256 hosts (https://github.com/royhills/arp-scan)
10.132.75.65    00:00:0c:9f:f0:01       Cisco Systems, Inc
10.132.75.66    e4:c7:22:61:7a:41       Cisco Systems, Inc
10.132.75.67    e4:c7:22:63:c2:c1       Cisco Systems, Inc
(途中略)

12 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.5: 256 hosts scanned in 1.958 seconds (130.75 hosts/sec). 12 responded

-lを使えば、network interfaceの持つIP addressとsubnet mask情報を使って検索対象のネットワークを自動的に生成してくれるので、network addressやsubnet maskの指定をしなくても良い。

使い方2
[root@osc01 arp-scan]# arp-scan -I eth1 -l 
Interface: eth1, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9.5 with 32 hosts (https://github.com/royhills/arp-scan)
161.202.86.1    00:00:0c:9f:f0:01       Cisco Systems, Inc
161.202.86.4    06:cd:a1:96:1a:d9       (Unknown)
161.202.86.2    e4:c7:22:63:c1:c1       Cisco Systems, Inc
161.202.86.3    e4:c7:22:61:83:41       Cisco Systems, Inc
(途中略)

9 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.5: 32 hosts scanned in 1.525 seconds (20.98 hosts/sec). 9 responded

-v -v -vと重ねると、詳細なdebug情報が出力される。

使い方3
[root@osc01 arp-scan]# arp-scan -v -v -v -I eth0 10.132.75.65/29
Interface: eth0, datalink type: EN10MB (Ethernet)
DEBUG: pcap filter string: "ether dst 06:09:40:ca:64:fd and (arp or (ether[14:4]=0xaaaa0300 and ether[20:2]=0x0806) or (ether[12:2]=0x8100 and ether[16:2]=0x0806) or (ether[12:2]=0x8100 and ether[18:4]=0xaaaa0300 and ether[24:2]=0x0806))"
DEBUG: Loaded 22487 IEEE OUI/Vendor entries from ieee-oui.txt.
DEBUG: Loaded 4575 IEEE IAB/Vendor entries from ieee-iab.txt.
DEBUG: Loaded 6 MAC/Vendor entries from mac-vendor.txt.
WARNING: host part of 10.132.75.65/29 is non-zero
DEBUG: pkt len=64 bytes, bandwidth=256000 bps, interval=2000 us
Starting arp-scan 1.9.5 with 8 hosts (https://github.com/royhills/arp-scan)
Host List:

Entry   IP Address
1       10.132.75.64
2       10.132.75.65
3       10.132.75.66
4       10.132.75.67
5       10.132.75.68
6       10.132.75.69
7       10.132.75.70
8       10.132.75.71

Total of 8 host entries.

---     Sending packet #1 to host 10.132.75.64 tmo 500000
---     Sending packet #1 to host 10.132.75.65 tmo 500000
---     Sending packet #1 to host 10.132.75.66 tmo 500000
---     Sending packet #1 to host 10.132.75.67 tmo 500000
---     Received packet #1 from 10.132.75.65
10.132.75.65    00:00:0c:9f:f0:01       Cisco Systems, Inc
---     Removing host 10.132.75.65 - Received 60 bytes
---     Sending packet #1 to host 10.132.75.68 tmo 500000
---     Received packet #1 from 10.132.75.66
10.132.75.66    e4:c7:22:61:7a:41       Cisco Systems, Inc
---     Removing host 10.132.75.66 - Received 60 bytes
---     Sending packet #1 to host 10.132.75.69 tmo 500000
---     Received packet #1 from 10.132.75.67
10.132.75.67    e4:c7:22:63:c2:c1       Cisco Systems, Inc
---     Removing host 10.132.75.67 - Received 60 bytes
---     Sending packet #1 to host 10.132.75.70 tmo 500000
---     Sending packet #1 to host 10.132.75.71 tmo 500000
---     Pass 1 complete
---     Sending packet #2 to host 10.132.75.64 tmo 750000
---     Sending packet #2 to host 10.132.75.68 tmo 750000
---     Sending packet #2 to host 10.132.75.69 tmo 750000
---     Sending packet #2 to host 10.132.75.70 tmo 750000
---     Sending packet #2 to host 10.132.75.71 tmo 750000
---     Pass 2 complete
---     Removing host 10.132.75.64 - Timeout
---     Removing host 10.132.75.68 - Timeout
---     Removing host 10.132.75.69 - Timeout
---     Removing host 10.132.75.70 - Timeout
---     Removing host 10.132.75.71 - Timeout

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.5: 8 hosts scanned in 1.466 seconds (5.46 hosts/sec). 3 responded
30
28
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
30
28

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?