Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
ARP-FINGERPRINT(1)	    General Commands Manual	    ARP-FINGERPRINT(1)

       arp-fingerprint - Fingerprint a system using ARP

       arp-fingerprint [options] target

       The target should be specified as a single IP address or	hostname.  You
       cannot specify multiple targets,	IP networks or ranges.

       If you use an IP	address	for the	target,	you can	use the	-o  option  to
       pass  the  --numeric option to arp-scan,	which will prevent it from at-
       tempting	DNS lookups.  This can speed up	 the  fingerprinting  process,
       especially on systems with a slow or faulty DNS configuration.

       arp-fingerprint	fingerprints  the  specified target host using the ARP

       It sends	various	different types	of ARP	request	 to  the  target,  and
       records	which types it responds	to. From this, it constructs a finger-
       print string consisting of "1" where the	target responded and "0" where
       it  did	not.  An example of a fingerprint string is 01000100000.  This
       fingerprint string is then used to lookup the likely  target  operating

       Many  of	 the  fingerprint strings are shared by	several	operating sys-
       tems, so	there is not always a one-to-one mapping  between  fingerprint
       strings	and  operating	systems. Also the fact that a system's finger-
       print matches a certain operating system	(or list of operating systems)
       does  not  necessarily mean that	the system being fingerprinted is that
       operating system, although it is	quite likely. This is because the list
       of  operating systems is	not exhaustive;	it is just what	I have discov-
       ered to date, and there are bound to be operating systems that are  not

       The  ARP	 fingerprint  of a system is generally a function of that sys-
       tem's kernel (although it is possible for the ARP function to be	imple-
       mented in user space, it	almost never is).

       Sometimes,  an operating	system can give	different fingerprints depend-
       ing on the configuration.  An example is	Linux, which will respond to a
       non-local  source IP address if that IP is routed through the interface
       being tested.  This is both good	and bad: on one	hand it	makes the fin-
       gerprinting  task more complex; but on the other, it can	allow some as-
       pects of	the system configuration to be determined.

       Sometimes the fact that two different operating systems share a	common
       ARP fingerprint string points to	a re-use of networking code. One exam-
       ple of this is Windows NT and FreeBSD.

       arp-fingerprint uses arp-scan to	send the ARP requests and receive  the

       There  are other	methods	that can be used to fingerprint	a system using
       arp-scan	which can be used in addition to arp-fingerprint.  These addi-
       tional  methods are not included	in arp-fingerprint either because they
       are likely to cause disruption to the target system,  or	 because  they
       require	knowledge of the target's configuration	that may not always be

       arp-fingerprint is still	being developed, and the results should	not be
       relied  on. As most of the ARP requests that it sends are non-standard,
       it is possible that it may disrupt some systems,	so caution is advised.

       If you find a system that arp-fingerprint reports as UNKNOWN,  and  you
       know what operating system it is	running, could you please send details
       of the operating	system and fingerprint to  so
       I  can  include it in future versions. Please include the exact version
       of the operating	system if  you	know  it,  as  fingerprints  sometimes
       change between versions.

       -h     Display a	brief usage message and	exit.

       -v     Display verbose progress messages.

       -o <option-string>
	      Pass  specified options to arp-scan. You need to enclose the op-
	      tions string in quotes if	 it  contains  spaces.	e.g.   -o  "-I
	      eth1".  The commonly used	options	are --interface	(-I) and --nu-
	      meric (-N).

       -l     Fingerprint all hosts on the local network. You do not  need  to
	      specify any target hosts if this option is given.

       $ arp-fingerprint   01000100000     Linux 2.2,	2.4, 2.6

       $ arp-fingerprint -o "-N	-I eth1" 11110100000     FreeBSD 5.3, Win98, WinME,	NT4, 2000, XP, 2003

       arp-fingerprint	is  implemented	 in Perl, so you need to have the Perl
       interpreter installed on	your system to use it.

       Roy Hills <>

       arp-scan(1)	The arp-scan wiki page.

				August 20, 2016		    ARP-FINGERPRINT(1)


Want to link to this manual page? Use this URL:

home | help