Fingerprint IP hosts to discover address conflicts

Once upon a time, the network tool ping used to be a good tool to check if a computer was up and running or if an IP address was available or not. Today, a lot of computers have the ping response service turned off due to security reasons since many Denial-of-service attacks use the ICMP protocol, just as ping does.

But this doesn’t mean you can’t scan your network to see what IP-addresses are in use. NTA has a network tool named arp-scan that uses the ARP protocol (Address Resolution Protocol) to make the scan. The tool is available for free under the GPLv3 license and can be run in any *nix environment (not Windows).

To use it in Ubuntu simply install it from the repository.

sudo apt-get install arp-scan

Then run the program specifying the network interface you want to scan on.

sudo arp-scan -I eth0 -l

The outcome could be something like this, giving you an overview of all connected network devices on the same subnet. In the list you can easily see IP address collisions and what devices causing them (IP and ARP addresses have been masked).

myUser@ubuntu:~$ sudo arp-scan -I eth0 -l
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.8.1 with 256 hosts (       __:__:__:__:__:__       NETGEAR
10.10.0.__      __:__:__:__:__:__       Cisco Linksys LLC
10.10.0.__      __:__:__:__:__:__       KONICA MINOLTA HOLDINGS, INC.
10.10.0.__      __:__:__:__:__:__       AMERICAN POWER CONVERSION CORP
10.10.0.__      __:__:__:__:__:__       ICP Electronics Inc.
10.10.0.__      __:__:__:__:__:__       QEMU      __:__:__:__:__:__       Hewlett Packard      __:__:__:__:__:__       SNOM Technology AG
10.10.0.__      __:__:__:__:__:__       Netgear Inc.
10.10.0.__      __:__:__:__:__:__       Siemens AG
10.10.0.__      __:__:__:__:__:__       CYBEX COMPUTER PRODUCTS

11 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.8.1: 256 hosts scanned in 1.369 seconds (187.00 hosts/sec). 11 responded