Arp-scan Frequently Asked Questions

From NTA-Wiki

Why does arp-scan need to run as root?

arp-scan needs to access the network at the link layer (Layer 2). To do this, it uses packet socket, BPF or DLPI to send the packets, and libpcap to receive them. Only root can send and receive link layer packets. If you run arp-scan as a normal user, you will receive an error similar to this:

$ arp-scan
You need to be root, or arp-scan must be SUID root, to open a link-layer socket.
link_open: Operation not permitted

You can either run arp-scan as root, or install it SUID root. Installing arp-scan SUID root may introduce a security risk if it contains exploitable bugs. I am not aware of any such bugs, and I have taken care to avoid them, but there are no guarantees.

Why doesn't arp-scan use libnet to send the packets?

I decided to write my own link-layer send functions rather than use libnet to minimise the number of dependencies. Libnet is not common enough to assume that it will be present on most systems, and I don't want to force the user to install extra software in order to use arp-scan.

By contrast, I have used libpcap for the packet receive functions because it is quite common now and I believe that most potential arp-scan users will already have it installed.