NEWS.md

This file gives a brief overview of the major changes between each arp-scan release. For more details please read the ChangeLog file.

2023-02-26 arp-scan 1.10.1-git (in development)

• New Features:

  • New -m option for arp-fingerprint to display the host MAC addresses.
  • OpenBSD: Call pledge(2) to enter restricted service mode once initial setup is complete. arp-scan --version output includes Built with OpenBSD pledge(2) support if applicable.
  • New ${IPnum} field name for the --format option which displays the host IP address as a 32-bit unsigned integer. This allows sorting by IP address by numeric sort on the ${IPnum} column.

• Fixed Bugs:

  • Fall back to system mapping files if user lacks execute permission in the current directory, which can happen if a capabilities-aware arp-scan is run as root.
  • Add pcap_freecode() to free BPF program memory when no longer needed.
  • Do not enable promiscuous mode on the network interface as it is not needed.

• General Improvements and Changes:

  • get-oui displays the underlying system error if the download fails instead of a generic "download failed" message.
  • CARP and IPv6 VRRP addresses added to mac-vendor.txt.
  • Append -git to version number for pre release git development versions.
  • wiki moved from mediawiki to github wiki.
  • Self-test code coverage increased to 91.2% (see code-coverage.yml for details of the code coverage tests).
  • CONTRIBUTING.md and SECURITY.md files added.
  • Change message about interface network and mask used for --localnet, and don't require --verbose to display it.
  • Various minor improvements to the code and documentation.

2022-12-10 arp-scan 1.10.0 (git tag 1.10.0)

New Features

• POSIX.1e capabilities support for Linux systems with libcap.

  • Uses CAP_NET_RAW capability instead of superuser (root) permissions.
  • May need libcap-dev or similar package to build. Note that libcap (capabilities) and libpcap (packet capture) are different libraries.
  • configure option --with-libcap, defaults to auto.
  • Can set capability on exe with: setcap cap_net_raw+p /path/to/arp-scan
  • Initially clears effective set completely and clears everything except CAP_NET_RAW from the permitted set. Only enables CAP_NET_RAW in effective set for the functions that open raw sockets. Once sockets opened, removes CAP_NET_RAW from both effective and permitted set so process can never re enable it.
  • If arp-scan is SUID root, will drop all capabilities except CAP_NET_RAW as above and will also drop SUID with setuid(getuid()). So SUID root is essentially as secure as setcap cap_net_raw+p /path/to/arp-scan and is a safe alternative if the filesystem does not support extended attributes.
  • If arp-scan is run as root, e.g. sudo, it will drop all capabilities except CAP_NET_RAW and proceed as previously, but will remain as UID 0 and may encounter file permissions issues if it tries to open files with e.g. --pcapsavefile or --ouifile in user directories.
  • --version displays Built with libcap POSIX.1e capability support if enabled.
  • make install installs the arp-scan executable with the CAP_NET_RAW capability if setcap is available and works. Otherwise will fallback to SUID. See install-exec-hook in Makefile.am for details.

• --format option allows flexible output format.

  • Fields and text with \ character escapes, e.g. ${ip}\t${mac}\t${vendor}
  • Optional left/right aligned width, e.g. |${ip;-15}|${mac}|
  • XML: <host><ip>${ip}</ip><mac>${mac}</mac><vendor>${vendor}</vendor></host>
  • JSON: {"ipAddress":"${ip}", "macAddress":"${mac}", "vendor":"${vendor}"},
  • See the arp-scan manpage for details of field names and more examples.

• Mac/Vendor mapping file changes.

  • ieee-oui.txt now holds data for all IEEE registries: MA-L (OUI), MA-M, MA-S (OUI36) and IAB.
  • ieee-iab.txt file and --iabfile option have been removed.
  • get-oui now updates ieee-oui.txt from all registries. get-iab has been removed.
  • get-oui requires Perl module Text::CSV as it now uses the IEEE .csv files instead of the .txt files.
  • get-oui can be edited to use the data from the Debian ieee-data package.
  • mac-vendor.txt is now installed to $(sysconfdir)/$(PACKAGE) instead of $(pkgdatadir). E.g. /usr/local/etc/arp-scan if ./configured with no directory options, or /etc/arp-scan with --sysconfdir=/etc. This is to permit local changes to persist across upgrades.

General improvements

• Put man pages and --help output on a diet. Updated for new options.
• Option value length is now limited only by the maximum command line length (normally around 100K). This allows for complex --format options, long --padding lengths etc.
• arp-scan now prints a brief error message instead of half a page of usage text for unknown options.

2022-10-08 arp-scan 1.9.8 (git tag 1.9.8)

• New Features:

  • Allow the use of Linux IP aliases such as eth0:0 for the interface name.
  • Permit regular MAC addresses e.g. 00:0c:29:b9:43:1b in mac-vendor.txt.
  • --limit=n option exits after n of hosts have responded, exit 1 for <n
  • --resolve option to resolve responding IP addresses to hostnames

• Fixed bugs:

  • Potential buffer overrun in unmarshal_arp_pkt().
  • arp-scan aborts with EAGAIN on busy network or using high bandwidth
  • late ARP responses could sometimes be incorrectly flagged as duplicate

• General improvements:

  • Updated IEEE URLs in download perl scripts.
  • Updated source for Mersenne RNG and replacement strlcat/strlcpy & getopt.
  • Updated for compatability with autoconf 2.71
  • make distcheck works now
  • Number of responding hosts reported no longer counts duplicate packets.
  • Many typos corrected and edge cases fixed.

• Misc Changes:

  • CI framework migrated from travis-ci to github actions.
  • Several new tests for make check

2019-11-10 arp-scan 1.9.7

• Improved error messages from libpcap functions.

• Remove obsolescent and unused autoconf macros. arp-scan 1.9.7 assumes that the C compiler is ANSI C (C89) compliant.

2019-10-13 arp-scan 1.9.6

• Use libpcap function pcap_set_immediate_mode() instead of ioctl calls to ensure packets are delivered immediately. This fixes the bug which caused arp-scan on linux to not report any hosts with libpcap 1.9.1. This change means arp-scan now requires libpcap 1.5.0 or later and will not work with earlier versions.

• Fix compiler warnings caused by the depreciated function pcap_lookupdev() in libpcap 1.9.0 and later.

2016-09-03 arp-scan 1.9.5

• Use posix hash table functions hcreate(), hsearch() and hdestroy() instead of the gas hash table code. Thanks to nihilus for the suggestion.

• Remove function replacement for inet_aton(), as this was only required for Solaris 8, which is now considered obsolete.

• Added arp-fingerprint patterns for FreeBSD 10.3, DragonflyBSD 4.6, Windows10, Linux 4.0, Linux 4.6, OpenBSD 5.9, NetBSD 7.0.

• Added "-l" option to arp-fingerprint to support fingerprinting all hosts on the local network. Thanks to Rhig for the pull request.

• Use the source_mac rather than interface_mac in the pcap filter, to permit reception of packets with spoofed MAC source address. Thanks to tissieres for the pull request.

• Use the libpcap 1.0 API functions pcap_create() instead of pcap_open_live(). This means that arp-scan now requires libpcap 1.0 or later and will not work with earlier libpcap versions.

• Updated IEEE OUI and IAB download locations to reflect IEEE website changes.

• Updated IEEE OUI and IAB MAC/Vendor files. There are now 22487 OUI entries and 4575 IAB entries.

2013-11-24 arp-scan 1.9.2

• Added new --plain (-x) option to suppress printing of header and footer text, and only display one output line for each responding host. Idea from Stefan Tomanek's arp-scan fork on github at https://github.com/wertarbyte/arp-scan.

• Use LWP::UserAgent instead of LWP::Simple in get-oui and get-iab to enable the raw content to be obtained, which avoids Unicode/UTF-8 issues.

• Added arp-fingerprint patterns for WIZnet W5100 and Cisco IOS 15.0.

• Moved arp-scan development from internal SVN repository to github at https://github.com/royhills/arp-scan. The move to git means that the commit object names are now SHA1 hashes instead of increasing integer values. So they are longer suitable for internal file versions with rcsid variables. Accordingly the rcsid variables have been removed.

2013-07-24 arp-scan 1.9:

• Updated IEEE OUI and IAB MAC/Vendor files. There are now 18157 OUI entries and 4414 IAB entries.

• Use autoconf 2.69 and automake 1.11 to add support for ARM 64-bit CPUs.

• Use libpcap functions to obtain the interface IP address and send the ARP packet, instead of using our own link-layer specific functions. The only link-layer specific function that we still need is get_hardware_address() to obtain the interface MAC address. This means we now require libpcap 0.9.3 or later.

• Added support for Dragonfly BSD.

• The -u option to get-iab and get-oui scripts now works.

• get-oui and get-iab scripts now get the OUI and IAB files from the new locations on the IEEE website, and allow whitespace at the beginning of the line.

• If the MAC/Vendor file locations are not explicitly specified, look for them in the current directory and then in their default location.

• Raised default timeout from 100ms to 500ms.

• Added new --rtt (-D) option to display the packet round-trip time.

• Include <net/bpf.h> header file early in link-bpf.c to avoid BPF symbol problems on some BSD based operating systems.

• Added arp-fingerprint patterns for GNU/Hurd, Amazon Kindle (Linux 2.6), BeOS, Windows 8, Recent Linux, FreeBSD, NetBSD and OpenBSD versions, and RiscOS.

• Added data file "pkt-custom-request-vlan-llc.dat" to the tarball to allow the ARP request packet generation self test to complete successfully.

• Various minor bug fixes and improvements.

2011-03-01 arp-scan 1.8:

• Updated IEEE OUI and IAB MAC/Vendor files. There are now 14707 OUI entries and 3542 IAB entries.

• Added support for trailer ARP replies, which were used in early versions of BSD Unix on VAX.

• Added support for ARP packets with both 802.1Q VLAN tag and LLC/SNAP framing.

• The full help output is only displayed if specifically requested with arp-scan --help. Usage errors now result in smaller help output.

• Added support for Apple Mac OS X with Xcode 2.5 and later. This allows arp-scan to build on Tiger, Leopard and Snow Leopard.

• Changed license from GPLv2 to GPLv3.

• Added warning about possible DoS when setting ar$spa to the destination IP address to the help output and man page.

• Added arp-fingerprint patterns for 2.11BSD, NetBSD 4.0, FreeBSD 7.0, Vista SP1, Windows 7 and Blackberry OS.

• Enabled compiler security options -fstack-protect, -D_FORTIFY_SOURCE=2 and -Wformat-security if they are supported by the compiler. Also enabled extra warnings -Wwrite-strings and -Wextra.

• Added new "make check" tests to check packet generation, and packet decoding and display.

• Modified get-oui and get-iab perl scripts so they will work on systems where the perl interpreter is not in /usr/bin, e.g. NetBSD.

• Various minor bug fixes and improvements.

2008-07-24 arp-scan 1.7:

• new --pcapsavefile (-W) option to save the ARP response packets to a pcap savefile for later analysis with tcpdump, wireshark or another program that supports the pcap file format.

• new --vlan (-Q) option to create outgoing ARP packets with an 802.1Q VLAN tag ARP responses with a VLAN tag are interpreted and displayed.

• New --llc (-L) option to create outgoing ARP packets with RFC 1042 LLC/SNAP framing. Received ARP packets are decoded and displayed with either LLC/SNAP or the default Ethernet-II framing irrespective of this option.

• Avoid double unmarshalling of packet data: once in callback, then again in display_packet().

• New arp-fingerprint patterns for ARP fingerprinting: Cisco 79xx IP Phone SIP 5.x, 6.x and 7.x; Cisco 79xx IP Phone SIP 8.x.

• Updated IEEE OUI and IAB MAC/Vendor files. There are now 11,697 OUI entries and 2,386 IAB entries.

2007-04-12 arp-scan 1.6:

• arp-scan wiki at http://www.nta-monitor.com/wiki/ This contains detailed documentation on arp-scan, and is intended to be the primary documentation resource.

• Added support for Sun Solaris. Tested on Solaris 9 (SPARC). arp-scan may also work on other systems that use DLPI, but only Solaris has been tested.

• New arp-fingerprint patterns for ARP fingerprinting: IOS 11.2, 11.3 and 12.4; ScreenOS 5.1, 5.2, 5.3 and 5.4; Cisco VPN Concentrator 4.7; AIX 4.3 and 5.3; Nortel Contivity 6.00 and 6.05; Cisco PIX 5.1, 5.2, 5.3, 6.0, 6.1, 6.2, 6.3 and 7.0.

• Updated IEEE OUI and IAB MAC/Vendor files. There are now 10,214 OUI entries and 1,858 IAB entries.

• Added HSRP MAC address to mac-vendor.txt.

2006-07-22 arp-scan 1.5:

• Reduced memory usage from 44 bytes per target to 28 bytes. This reduces the memory usage for a Class-B network from 2.75MB to 1.75MB, and a Class-A network from 704MB to 448MB.

• Reduced the startup time for large target ranges. This reduces the startup time for a Class-A network from 80 seconds to 15 seconds on a Compaq laptop with 1.4GHz CPU.

• Added support for FreeBSD, OpenBSD, NetBSD and MacOS X (Darwin). arp-scan will probably also work on other operating systems that implement BPF, but only those listed have been tested.

• Improved operation of the --srcaddr option. Now this will change the source hardware address in the Ethernet header without changing the interface address.

• Additional fingerprints for arp-fingerprint.

• Improved manual pages.

• Updated IEEE OUI and IAB files. There are now 9,426 OUI entries and 1,568 IAB entries.

2006-06-26 arp-scan 1.4:

• Added IEEE IAB listings and associated get-iab update script and --iabfile option.
• Added manual MAC/Vendor mapping file: mac-vendor.txt and associated --macfile option.
• New --localnet option to scan all IP addresses on the specified interface network and mask.

2006-06-23 arp-scan 1.3:

• Initial public release. Source distribution only, which will compile and run on Linux.