ARP scanning is the most reliable way to find every active device on a local network. Unlike ping, ARP operates at the data link layer and detects hosts even when they block ICMP requests. Three tools cover the job: the built-in arp command, the dedicated arp-scan utility, and nmap in ARP discovery mode.
ARP Scanning Tools at a Glance
| Tool | Installation | When to Use |
|---|---|---|
arp -a |
Built into Linux | View the cached ARP table |
arp-scan |
apt / dnf | Active scan of the entire subnet |
nmap -PR |
apt / dnf | Scanning with extended options |
What ARP Is and How It Works
ARP (Address Resolution Protocol) maps IP addresses to MAC addresses within a local network. When a host wants to send a packet, it knows the destination IP but not the physical address. ARP broadcasts a request to everyone on the segment: "Who has IP 192.168.1.50?" The device with that address replies: "I do — my MAC is aa:bb:cc:dd:ee:ff." The response gets written into the ARP table and cached.
The key difference from ping: ARP doesn't route beyond the local network and can't be disabled at the firewall level as easily as ICMP. That's what makes ARP scanning more dependable for local network inventory.
View the current ARP table — devices the system has already communicated with:
arp -a
Installing arp-scan
arp-scan is a purpose-built tool for active host discovery. The current release is version 1.10.0.
On Ubuntu and Debian:
sudo apt install arp-scan
On Fedora, CentOS, AlmaLinux:
sudo dnf install arp-scan
Verify the installed version:
arp-scan --version
Scanning the Local Network
Before scanning, find the name of your network interface:
ip addr list
Look for the active interface in the output — typically eth0, enp3s0, or wlan0. The exact name depends on your hardware and OS configuration.
Scan all hosts on the local network through the specified interface:
sudo arp-scan --interface=enp3s0 --localnet
The same scan with an explicit subnet instead of --localnet:
sudo arp-scan --interface=enp3s0 192.168.1.0/24
Both commands produce a table with three columns: IP address, MAC address, and the network card manufacturer.
Useful Options
Increase the number of ARP requests per address to improve detection reliability:
sudo arp-scan --interface=enp3s0 --localnet --retry=3
Slow down the scan — useful on large networks or unstable connections:
sudo arp-scan --interface=enp3s0 --localnet --interval=5000
--interval sets the delay between packets in microseconds. A value of 5000 means 5 milliseconds between requests.
Save results to a file:
sudo arp-scan --interface=enp3s0 --localnet | tee scan-results.txt
Scanning with Nmap
Nmap supports ARP scanning via the -PR flag. Useful if nmap is already installed or you need more advanced options:
sudo nmap -PR -sn 192.168.1.0/24
The -sn flag disables port scanning — only host discovery runs. Root privileges are required for ARP mode.
Extended scan with MAC addresses and manufacturer information:
sudo nmap -PR -sn --script=arp-ping 192.168.1.0/24
Why ARP Scanning May Not Work
Scanning outside the subnet — ARP only works within a single broadcast domain. To find devices in other subnets, use ping scanning or route tracing instead.
IP address conflict — if two devices share an IP, ARP responses become unpredictable. Use arping to check for conflicts on a specific address.
Interface without an IP address — arp-scan can operate on an interface with no address, but the source will be 0.0.0.0. Not all devices respond to such requests.
ARP spoofing — an attacker can forge ARP replies, skewing scan results. Networks with Dynamic ARP Inspection enabled may also limit what the scanner sees.
Insufficient privileges — both arp-scan and nmap in ARP mode require superuser rights. Running without sudo returns a permission error.
Frequently Asked Questions
How do I find all devices on a Linux local network?
Run sudo arp-scan --interface=eth0 --localnet — it discovers every active device in the subnet and outputs their IP and MAC addresses. Replace eth0 with your interface name from ip addr list. Root privileges are required.
Why is ARP scanning better than ping scanning?
ARP operates at the data link layer and discovers devices that block ICMP. Most devices on a local network can't hide from ARP requests, whereas firewall rules can silently drop ping responses and make hosts invisible to ping sweeps.
How do I identify a device manufacturer from a MAC address?
arp-scan automatically resolves the manufacturer from the first three bytes of the MAC address (OUI) and displays it in the third column. You can also look up any MAC address manually at macvendors.com.
Can I scan multiple subnets at once?
Yes — specify multiple ranges separated by spaces: sudo arp-scan --interface=eth0 192.168.1.0/24 10.0.0.0/24. For subnets behind a router, ARP won't reach them — use nmap -sn with ping discovery instead.
Why doesn't arp-scan see some devices?
A device won't respond if it's in a different VLAN, powered off during the scan, or if the switch enforces ARP filtering. Increase retry attempts with --retry=3 to improve reliability, especially on busy networks.
A VPS on THE.Hosting gives you a clean, isolated environment for network experiments — no risk of affecting production infrastructure. 50+ locations, deployment in 60 seconds, plans from €5.77/month.