Provided by: arp-scan_1.8.1-1_i386 bug


       arp-fingerprint - Fingerprint a system using ARP


       arp-fingerprint [options] target

       The target should be specified as a single IP address or hostname.  You
       cannot specify multiple targets, IP networks or ranges.

       If you use an IP address for the target, you can use the -o  option  to
       pass  the  --numeric  option  to  arp-scan,  which will prevent it from
       attempting DNS lookups.  This can speed up the fingerprinting  process,
       especially on systems with a slow or faulty DNS configuration.


       arp-fingerprint  fingerprints  the  specified target host using the ARP

       It sends various different types of ARP  request  to  the  target,  and
       records  which  types  it  responds  to.  From  this,  it  constructs a
       fingerprint string consisting of "1" where the target responded and "0"
       where  it  did not.  An example of a fingerprint string is 01000100000.
       This fingerprint string is  then  used  to  lookup  the  likely  target
       operating system.

       Many  of  the  fingerprint  strings  are  shared  by  several operating
       systems,  so  there  is  not  always  a  one-to-one   mapping   between
       fingerprint  strings  and  operating  systems.  Also  the  fact  that a
       system's fingerprint matches a certain operating  system  (or  list  of
       operating  systems)  does  not  necessarily  mean that the system being
       fingerprinted is that operating system, although it  is  quite  likely.
       This  is because the list of operating systems is not exhaustive; it is
       just what I have  discovered  to  date,  and  there  are  bound  to  be
       operating systems that are not listed.

       The  ARP  fingerprint  of  a  system  is  generally  a function of that
       system's kernel (although it is possible for the  ARP  function  to  be
       implemented in user space, it almost never is).

       Sometimes,   an   operating  system  can  give  different  fingerprints
       depending on the  configuration.   An  example  is  Linux,  which  will
       respond  to  a non-local source IP address if that IP is routed through
       the interface being tested.  This is both good and bad: on one hand  it
       makes  the  fingerprinting  task more complex; but on the other, it can
       allow some aspects of the system configuration to be determined.

       Sometimes the fact that two different operating systems share a  common
       ARP  fingerprint  string  points  to  a  re-use of networking code. One
       example of this is Windows NT and FreeBSD.

       arp-fingerprint uses arp-scan to send the ARP requests and receive  the

       There  are other methods that can be used to fingerprint a system using
       arp-scan which can be  used  in  addition  to  arp-fingerprint.   These
       additional  methods  are not included in arp-fingerprint either because
       they are likely to cause disruption to the target  system,  or  because
       they  require  knowledge  of  the  target's  configuration that may not
       always be available.

       arp-fingerprint is still being developed, and the results should not be
       relied  on. As most of the ARP requests that it sends are non-standard,
       it is possible that it may disrupt some systems, so caution is advised.

       If you find a system that arp-fingerprint reports as UNKNOWN,  and  you
       know what operating system it is running, could you please send details
       of the operating system and fingerprint to  so
       I  can  include it in future versions. Please include the exact version
       of the operating system if  you  know  it,  as  fingerprints  sometimes
       change between versions.


       -h     Display a brief usage message and exit.

       -v     Display verbose progress messages.

       -o <option-string>
              Pass  specified  options  to  arp-scan.  You need to enclose the
              options string in quotes if it contains  spaces.  e.g.   -o  "-I
              eth1".   The  commonly  used  options  are  --interface (-I) and
              --numeric (-N).


       $ arp-fingerprint   01000100000     Linux 2.2, 2.4, 2.6

       $ arp-fingerprint -o "-N -I eth1" 11110100000     FreeBSD 5.3, Win98, WinME, NT4, 2000, XP, 2003


       arp-fingerprint is implemented in Perl, so you need to  have  the  Perl
       interpreter installed on your system to use it.


       Roy Hills <>


       arp-scan(1) The arp-scan wiki page.

                                 April 5, 2007              ARP-FINGERPRINT(1)