arp-scan
arp-scan copied to clipboard
royhills
Doesn't work on WSl2 NAT network mode
Network on wsl2
┌──(root㉿W1sh)-[~]
└─# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:15:5d:05:6e:31 brd ff:ff:ff:ff:ff:ff
inet 172.30.36.124/20 brd 172.30.47.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::215:5dff:fe05:6e31/64 scope link
valid_lft forever preferred_lft forever
Network on host
WLAN:
IPv4 Address . . . . . . . . . . . . : 172.20.129.135
NetMask . . . . . . . . . . . . : 255.255.248.0
GateWay. . . . . . . . . . . . . : 172.20.128.1
I tried to scan host on host's network segment from wsl but get
┌──(root㉿W1sh)-[~]
└─# arp-scan -I eth0 172.30.36.1/24
Interface: eth0, type: EN10MB, MAC: 00:15:5d:05:6e:31, IPv4: 172.30.36.124
WARNING: host part of 172.30.36.1/24 is non-zero
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
1 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.103 seconds (121.73 hosts/sec). 0 responded
And I tried to scan from host
>arp-scan.exe -t 172.20.129.135
Reply that B4:0E:DE:13:86:ED is 172.20.129.135 in 0.210700
> arp-scan.exe -t 172.30.36.124
Reply that 00:15:5D:05:6E:31 is 172.30.36.124 in 2.027900
The IP network is 172.30.36.124/20:
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:15:5d:05:6e:31 brd ff:ff:ff:ff:ff:ff
inet 172.30.36.124/20 brd 172.30.47.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::215:5dff:fe05:6e31/64 scope link
valid_lft forever preferred_lft forever
But you are scanning the smaller 172.30.36.0/24 network (specified as 172.30.36.1/24 but arp-scan converts it to the correct CIDR address hence the warning about non-zero host part):
# arp-scan -I eth0 172.30.36.1/24
So you are probably seeing nothing because you're not scanning the entire range of the WSL2 NAT network.
Try arp-scan --localnet which should automatically use the correct network address for the interface, e.g.:
rsh@nuc13:~$ sudo arp-scan --localnet
Interface: eth0, type: EN10MB, MAC: 00:15:5d:9f:59:90, IPv4: 172.19.102.229
Starting arp-scan 1.9.7 with 4096 hosts (https://github.com/royhills/arp-scan)
172.19.96.1 00:15:5d:a0:2e:be Microsoft Corporation
1 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 4096 hosts scanned in 17.425 seconds (235.06 hosts/sec). 1 responded
I'm not familiar with arp-scan.exe - note that this is not the same as arp-scan although it has a confusingly similar name. I don't know how arp-scan.exe is receiving replies from hosts outside the NAT network .
