From NTA-Wiki
This page gives a brief overview of the various arp-scan options. It does not go into detail - for that, see the help output or read the man pages.
Target selection options
| Long Option | Short Option | Description
|
| --file | -f | Read the list of targets from the specified file
|
| --localnet | -l | Generate the list of targets from the outgoing interface address and netmask
|
| --random | -R | Randomise the target list so hosts are scanned in a random order
|
| --numeric | -N | Only allow IP addresses, no hostnames. Never perform DNS lookup
|
If neither the --file or --localnet options are specified, then targets must be specified as arguments. The target argument can either be a list of addresses or names, an IP network in the form <network>/<bits> or <network>:<netmask>, or a range of IP addresses in <start>-<end> format.
Network interface options
| Long Option | Short Option | Description | Default
|
| --interface | -I | Specify the network interface to use | First up, configured, non-loopback interface
|
| --snap | -n | Specify the frame capture length | 64 Bytes
|
Outgoing Ethernet Frame Options
| Long Option | Short Option | Header Field | Default
|
| --destaddr | -T | Destination Address | FF:FF:FF:FF:FF:FF (Ethernet broadcast)
|
| --srcaddr | -S | Source Address | Outgoing interface address
|
| --prototype | -y | Protocol Type | 0x0806 (ARP)
|
| --padding | -A | N/A | No padding (added by network driver)
|
| --llc | -L | N/A | Ethernet-II Framing
|
| --vlan | -Q | N/A | No 802.1Q tag
|
Outgoing ARP Packet Options
| Long Option | Short Option | ARP Field | Default
|
| --arphrd | -H | ar$hrd | 1 (Ethernet)
|
| --arppro | -p | ar$pro | 0x0800 (IPv4)
|
| --arphln | -a | ar$hln | 6 (Ethernet address length)
|
| --arppln | -P | ar$pln | 4 (IPv4 address length)
|
| --arpop | -o | ar$op | 1 (ARP Request)
|
| --arpsha | -u | ar$sha | Outgoing interface h/w address
|
| --arpspa | -s | ar$spa | Outgoing interface IP address
|
| --arptha | -w | ar$tha | zero (00:00:00:00:00:00)
|
The ARP field ar$tpa is set to the target IP address.
Outgoing packet timing options
| Long Option | Short Option | Description | Default
|
| --retry | -r | Total number of ARP request attempts for each target address | 2
|
| --timeout | -t | Timeout in milliseconds | 500
|
| --interval | -i | Inter-packet interval | Calculated from bandwidth
|
| --bandwidth | -B | Outbound Bandwidth | 256,000 bits/sec
|
| --backoff | -b | Timeout backoff factor | 1.5
|
Received packet decoding and display options
| Long Option | Short Option | Description
|
| --quiet | -q | Don't decode Vendor string
|
| --ignoredups | -g | Don't display duplicate ARP responses
|
| --ouifile | -O | Specify location of IEEE OUI MAC/Vendor file
|
| --iabfile | -F | Specify location of IEEE OUI MAC/Vendor file
|
| --macfile | -m | Specify location of manual MAC/Vendor file
|
| --pcapsavefile | -W | Write received packets to pcap savefile
|
Miscellanous Options
| Long Option | Short Option | Description
|
| --help | -h | Display usage message and exit
|
| --verbose | -v | Display extra debugging information
|
| --version | -V | Display arp-scan program version and exit
|
