.\" Text automatically generated by txt2man .TH netdiscover 8 "07 Feb 2019" "netdiscover-0.5.1" "active/passive ARP reconnaissance tool" .SH NAME \fBnetdiscover \fP- active/passive ARP reconnaissance tool \fB .SH SYNOPSIS .nf .fam C \fBnetdiscover\fP [\fB-i\fP \fIdevice\fP] [\fB-r\fP \fIrange\fP | \fB-l\fP \fIfile\fP | \fB-p\fP] [\fB-m\fP \fIfile\fP] [\fB-F\fP \fIfilter\fP] [\fB-s\fP \fItime\fP] [\fB-c\fP \fIcount\fP] [\fB-n\fP \fInode\fP] [\fB-dfPLNS\fP] .fam T .fi .fam T .fi .SH DESCRIPTION \fBnetdiscover\fP is an active/passive ARP reconnaissance tool, initially developed to gain information about wireless networks without DHCP servers in wardriving scenarios. It can also be used on switched networks. Built on top of libnet and libpcap, it can passively detect online hosts or search for them by sending ARP requests. .PP Furthermore, it can be used to inspect your network's ARP traffic, or find network addresses using auto scan mode, which will scan for common local networks. .SH OPTIONS .TP .B \fB-i\fP \fIdevice\fP The network interface to sniff and inject packets. If no interface is specified, first available will be used. .TP .B \fB-r\fP \fIrange\fP Scan a given \fIrange\fP instead of auto scan. Valid \fIrange\fP values area for example: 192.168.0.0/24, 192.168.0.0/16 or 192.168.0.0/8. Currently, acceptable ranges are /8, /16 and /24 only. .TP .B \fB-l\fP \fIfile\fP Scan ranges contained on the given \fIfile\fP. It must contain only one \fIrange\fP per line. .TP .B \fB-p\fP Enable passive mode. In passive mode, \fBnetdiscover\fP does not send anything, but does only sniff. .TP .B \fB-m\fP \fIfile\fP Scan a list of known MACs and host names. .TP .B \fB-F\fP \fIfilter\fP Customize pcap \fIfilter\fP expression (default: "arp"). .TP .B \fB-s\fP \fItime\fP Sleep given \fItime\fP in milliseconds between each ARP request injection. (default 1) .TP .B \fB-c\fP \fIcount\fP Number of times to send each ARP request. Useful for networks with packet loss, so it will scan given times for each host. (default 1) .TP .B \fB-n\fP \fInode\fP Last IP octet of the source IP used for scanning. You can change it if the default host (x.x.x.67) is already used. (allowed \fIrange\fP is 2 to 253, default 67) .TP .B \fB-d\fP Ignore configuration files at home dir (for autoscan and fast mode only). This will use default ranges and IPs for autoscan and fast mode. See below for information about configuration files. .TP .B \fB-f\fP Enable fast mode scan. This will only scan for .1, .100 and .254 on each network. This mode is useful while searching for ranges being used. After you found such \fIrange\fP you can make a specific \fIrange\fP scan to find online boxes. .TP .B \fB-P\fP Produces an output suitable to be redirected into a \fIfile\fP or to be parsed by another program, instead of using interactive mode. Enabling this option, \fBnetdiscover\fP will stop after scanning given ranges. .TP .B \fB-L\fP Similar to \fB-P\fP but continue program execution to capture ARP packets passively after the active scan. phase to capture ARP packets passively. .TP .B \fB-N\fP Do not print header. Only valid when \fB-P\fP or \fB-L\fP is enabled. .TP .B \fB-S\fP (DEPRECATED) Enable sleep \fItime\fP suppression between each request. If set, \fBnetdiscover\fP will sleep after having scanned 255 hosts instead of sleeping after each one. This mode was used in \fBnetdiscover\fP 0.3 beta4 and before. Avoid this option in networks with packet loss, or in wireless networks with low signal level. (also called hardcore mode) .SH USAGE If passive mode (\fB-p\fP), scan list (\fB-l\fP) or scan \fIrange\fP (\fB-r\fP) options aren't enabled, \fBnetdiscover\fP will scan for common LAN addresses (192.168.0.0/16, 172.16.0.0/12 and 10.0.0.0/8). .PP Screen control keys: .PP .nf .fam C h Show help screen. j Scroll down (or down arrow). k Scroll up (or up arrow). . Scroll page up. , Scroll page down. q Close help screen or end application. .fam T .fi Screen views: .PP .nf .fam C a Show ARP replies list. r Show ARP requests list. u Show unique hosts detected. .fam T .fi .SH CONFIG FILES There are 2 configuration files that \fBnetdiscover\fP will look for, each \fItime\fP it is executed. If files doesn't exist, \fBnetdiscover\fP will use default values. You can use the \fB-d\fP switch to disable reading and loading configuration files. .TP .B ~/.\fBnetdiscover\fP/ranges This \fIfile\fP contains a list of ranges (one per line) used for auto scan mode instead of default ranges. By default \fBnetdiscover\fP will use a list of common ranges used on local networks. .PP Example: .PP .nf .fam C 192.168.21.0/24 172.26.0.0/16 10.0.0.0/8 .fam T .fi .TP .B ~/.\fBnetdiscover\fP/fastips List containing the last octet of the IPs to be scanned on each subnet, when using fast mode (\fB-f\fP), by default (1,100,154). You must put a number per line. .SH USAGE EXAMPLES Scan common LAN addresses on eth0: .PP .nf .fam C # netdiscover -i eth0 .fam T .fi Fast scan common LAN addresses on eth0 (search only for gateways): .PP .nf .fam C # netdiscover -i eth0 -f .fam T .fi Scan some fixed ranges: .PP .nf .fam C # netdiscover -i eth0 -r 172.26.0.0/24 # netdiscover -r 192.168.0.0/16 # netdiscover -r 10.0.0.0/8 .fam T .fi Scan common LAN addresses with sleep \fItime\fP 0.5 milliseconds instead of default 1: .PP .nf .fam C # netdiscover -s 0.5 .fam T .fi Scan fixed \fIrange\fP on fast mode with sleep \fItime\fP 0.5 milliseconds instead of default 1: .PP .nf .fam C # netdiscover -r 192.168.0.0/16 -f -s 0.5 .fam T .fi Scan a \fIrange\fP using 101 as last octet for SOURCE IP .PP .nf .fam C # netdiscover -r 10.1.0.0/16 -n 101 .fam T .fi Only sniff for ARP traffic, don't send nothing: .PP .nf .fam C # netdiscover -p .fam T .fi .SH AUTHOR \fBnetdiscover\fP was written by Jaime Penalba Estebanez . .PP This manual page was originally written by Nicolas Weyland, for the Debian project. This man page has been merged into \fBnetdiscover\fP project and modified from the original by Jaime Penalba and Joao Eriberto Mota Filho.