How to use the arping command in Linux

To a network administrator, ARP may sound familiar. ARP is a protocol that Layer 2 devices implement to discover and communicate with each other. The arping tool works over this protocol.

Why do you need arping? Imagine you are working with a small office network. It’s tempting to use the classic ping command to ping hosts, isn’t it? Well, if you are using ICMP, then you are actually doing ARP requests to check for devices on the network.

This is where the arping tool comes in. Similar to ping, arping checks network hosts using network layer ARP packets. This method is useful for hosts that do not respond to Layer 3 and Layer 4 ping requests.

This article shows you how to use the arping command in Linux.

Arping on Linux

Arping is a popular tool among network administrators. However, it is not part of the standard set of tools offered by Linux. So, you have to install arping manually.

Fortunately, arping is a popular tool. Whatever distribution you use, it should be available directly from the official package servers. Run the following command according to your distribution.

For Debian / Ubuntu and derivatives, the arp tool requires the net-tools package:

$ sudo apt install arping net-tools

For Fedora and derivatives:

$ sudo dnf install arping

For openSUSE and derivatives:

$ sudo zypper install arping2

Using arping

Discover hosts

If multiple devices are connected via Ethernet, the systems already have an internal ARP table for network communication. You can use arping to list the records on the net.

To do this, run the following command:

$ arp -a

As you can see, the command will print a list of hostnames along with their IP and MAC addresses. Ping hosts

If you know the IP address of the target device, you can simply pass it to arping to do ARP ping.

$ arping

Arping also allows you to determine how many times to ping the target device. To do this, use the “-c” flag, followed by the number of pings performed. One quick tip: if a new device is discovered, you must run the following command to update the ARP table:

$ arp -a

ARP timeout

If arping cannot resolve the target’s IP address, it will cause an ARP timeout. To demonstrate, run the following command. The IP address must be unavailable.

$ arping -c 7

As you can see, arping will notify you if you haven’t specified a network interface. This is because arping expects you to specify an interface. Unless otherwise stated, arping tries to guess it.

Specify network interface

As you saw in the previous section, arping prefers to specify the network interface. This is especially necessary if the server has multiple network interfaces. Arping can’t guess which NIC to use.

To avoid this problem, we can manually specify the network interface for arping. If this method is used, arping will use the specified network interface instead of making assumptions.

First, list all available network interfaces with the following command:

$ ip link show

Then specify the network interface for arping using the “-I” flag as shown below:

$ arping -I  -c 7

Specify source MAC address

As with the previous method, you can also specify the source MAC address from which you are sending packets. To do this, use the “-s” flag followed by the desired MAC address, as shown below:

$ arping -c 7 -s

Now, depending on whether you own the MAC address, there are two results:

  1. If you have a MAC address, you can simply specify the “-s” flag.
  2. If you don’t have a MAC address, you are trying to spoof one. If so, then you will have to use promiscuous mode. Find out more about promiscuous mode here. As a reminder, this mode is configured in such a way that it transmits all frames received by the network card.

The good thing is that arping can run erratically. To enable this mode, use the “-p” flag. The command will look something like this:

$ arping -c 7 -s  -p

Provide source IP address

Another interesting feature of arping is the ability to manually define the source IP address. This method works similarly to the previous step.

However, this method has its own problems. As soon as arping pings the device, the device will respond to the IP address you manually entered. Without owning this IP address, arping will receive no responses.

To manually determine the source IP address, use the “-S” flag.

$ arping -c 7 -S

This method has other nuances as well. How you use this method depends on whether you own the IP address:

  1. If you have an IP address, then everything is fine.
  2. If you don’t have an IP address, you can use promiscuous mode.

If your situation matches the second option, use the “-p” flag to enable promiscuous mode.

$ arping -c 7 -S  -p

Arping help

While these are the most commonly used arping commands, arping offers other functions as well. For example, arping offers a quick help page for documentation on the fly:

$ arping --help

If you are interested in detailed information about the features of arping, you can dive deeper into the man page:

$ man arping

Final thoughts

This article explores some of the most common methods for using arping. You can update the ARP table and spoof the MAC and IP address using promiscuous mode.