An ARP scan is a network discovery technique that uses the Address Resolution Protocol (ARP) to enumerate live hosts on a local subnet. Because ARP operates at Layer 2 (Ethernet) rather than Layer 3 (IP), an ARP scan reveals devices that respond on the local segment even when they are configured to ignore ICMP or block port probes.
How ARP works
When one host on a local network needs to send a packet to another IPv4 address on the same subnet, it first broadcasts an ARP request asking “who has this IP?”. The device with that IP replies with its MAC (hardware) address. The requester caches the mapping and can now address Ethernet frames directly. ARP is intentionally trusting; every device on the segment hears the broadcast and any device can claim to own an IP.
How an ARP scan works
A scanner walks every IP in the local subnet and issues an ARP request for each. Devices that are powered on and connected to the segment send an ARP reply, regardless of firewall rules at the IP layer. The result is a list of (IP, MAC, vendor) tuples covering every live host the scanner can reach at Layer 2.
Common tools
The dedicated tool is arp-scan, which produces output such as 192.168.1.15 aa:bb:cc:11:22:33 Apple, Inc.. Nmap performs ARP scans automatically on local networks (any -sn or -PR scan within the local broadcast domain). Wireshark passively reveals ARP traffic without sending any probes, which is useful when stealth matters.
Why testers use it
ARP scans are the most reliable host-discovery method on internal networks. They cannot be blocked by host firewalls (which operate at Layer 3 and above) and they avoid the noise of broad port scans. On engagements where an attacker has gained a foothold on the internal network, ARP scanning quickly maps the immediate segment and often surfaces forgotten devices, IoT controllers, and management interfaces missing from asset inventories.
Limitations and defences
ARP only sees the local broadcast domain; it does not cross routers. Network segmentation therefore limits how much an attacker can map from any single foothold. Dynamic ARP inspection on switches, paired with DHCP snooping, prevents ARP spoofing attacks but does not block legitimate ARP scanning. Detection relies on monitoring for unusual sweeping behaviour at the switch or via passive sensors.
Related terms
See also: ping sweep, port scanning, Nmap, and man-in-the-middle attack.
Leave a Reply