**This file gives a brief overview of the major changes between each *arp-scan* release. For more details please read the `ChangeLog` file.**
# 2023-02-26 arp-scan 1.10.1-git (in development)
* New Features:
- New `-m` option for `arp-fingerprint` to display the host MAC addresses.
- OpenBSD: Call `pledge(2)` to enter restricted service mode once initial setup is complete. `arp-scan --version` output includes `Built with
OpenBSD pledge(2) support` if applicable.
- New `${IPnum}` field name for the `--format` option which displays the host IP address as a 32-bit unsigned integer. This allows sorting by IP address by numeric sort on the `${IPnum}` column.
* Fixed Bugs:
- Fall back to system mapping files if user lacks execute permission in the current directory, which can happen if a capabilities-aware *arp-scan* is run as root.
- Add `pcap_freecode()` to free BPF program memory when no longer needed.
- Do not enable promiscuous mode on the network interface as it is not needed.
* General Improvements and Changes:
- `get-oui` displays the underlying system error if the download fails instead of a generic "download failed" message.
- CARP and IPv6 VRRP addresses added to mac-vendor.txt.
- Append `-git` to version number for pre release git development versions.
- wiki moved from mediawiki to [github wiki](https://github.com/royhills/arp-scan/wiki).
- Self-test code coverage increased to 91.2% (see [code-coverage.yml](/.github/workflows/code-coverage.yml) for details of the code coverage tests).
- `CONTRIBUTING.md` and `SECURITY.md` files added.
- Change message about interface network and mask used for --localnet, and don't require --verbose to display it.
- Various minor improvements to the code and documentation.
# 2022-12-10 arp-scan 1.10.0 (git tag 1.10.0)
## New Features
* **POSIX.1e capabilities support for Linux systems with libcap.**
- Uses `CAP_NET_RAW` capability instead of superuser (root) permissions.
- May need `libcap-dev` or similar package to build. *Note that `libcap`
(capabilities) and `libpcap` (packet capture) are different libraries.*
- configure option `--with-libcap`, defaults to auto.
- Can set capability on exe with: `setcap cap_net_raw+p /path/to/arp-scan`
- Initially clears effective set completely and clears everything except
CAP_NET_RAW from the permitted set. Only enables CAP_NET_RAW in effective
set for the functions that open raw sockets. Once sockets opened, removes
CAP_NET_RAW from both effective and permitted set so process can never
re enable it.
- If arp-scan is SUID root, will drop all capabilities except CAP_NET_RAW
as above and will also drop SUID with `setuid(getuid())`. So SUID root is
essentially as secure as `setcap cap_net_raw+p /path/to/arp-scan` and is a
safe alternative if the filesystem does not support extended attributes.
- If arp-scan is run as root, e.g. `sudo`, it will drop all capabilities
except CAP_NET_RAW and proceed as previously, but will remain as UID 0
and may encounter file permissions issues if it tries to open files with
e.g. `--pcapsavefile` or `--ouifile` in user directories.
- `--version` displays `Built with libcap POSIX.1e capability support` if
enabled.
- `make install` installs the arp-scan executable with the `CAP_NET_RAW`
capability if `setcap` is available and works. Otherwise will fallback to
SUID. See `install-exec-hook` in `Makefile.am` for details.
* **--format option allows flexible output format.**
- Fields and text with \ character escapes, e.g. `${ip}\t${mac}\t${vendor}`
- Optional left/right aligned width, e.g. `|${ip;-15}|${mac}|`
- XML: `${ip}${mac}${vendor}`
- JSON: `{"ipAddress":"${ip}", "macAddress":"${mac}", "vendor":"${vendor}"},`
- See the arp-scan manpage for details of field names and more examples.
* **Mac/Vendor mapping file changes.**
- `ieee-oui.txt` now holds data for all IEEE registries: MA-L (OUI), MA-M,
MA-S (OUI36) and IAB.
- `ieee-iab.txt` file and `--iabfile` option have been removed.
- `get-oui` now updates `ieee-oui.txt` from all registries. `get-iab` has been
removed.
- `get-oui` requires Perl module `Text::CSV` as it now uses the IEEE .csv
files instead of the .txt files.
- `get-oui` can be edited to use the data from the Debian `ieee-data` package.
- `mac-vendor.txt` is now installed to `$(sysconfdir)/$(PACKAGE)` instead of
`$(pkgdatadir)`. E.g. `/usr/local/etc/arp-scan` if ./configured with no
directory options, or `/etc/arp-scan` with `--sysconfdir=/etc`. This is to
permit local changes to persist across upgrades.
## General improvements
* Put man pages and `--help` output on a diet. Updated for new options.
* Option value length is now limited only by the maximum command line
length (normally around 100K). This allows for complex `--format` options,
long `--padding` lengths etc.
* arp-scan now prints a brief error message instead of half a page of usage
text for unknown options.
# 2022-10-08 arp-scan 1.9.8 (git tag 1.9.8)
* New Features:
- Allow the use of Linux IP aliases such as `eth0:0` for the interface name.
- Permit regular MAC addresses e.g. `00:0c:29:b9:43:1b` in `mac-vendor.txt`.
- `--limit=n` option exits after n of hosts have responded, exit 1 for header file early in link-bpf.c to avoid BPF symbol
problems on some BSD based operating systems.
* Added arp-fingerprint patterns for GNU/Hurd, Amazon Kindle (Linux 2.6),
BeOS, Windows 8, Recent Linux, FreeBSD, NetBSD and OpenBSD versions, and
RiscOS.
* Added data file "pkt-custom-request-vlan-llc.dat" to the tarball to allow
the ARP request packet generation self test to complete successfully.
* Various minor bug fixes and improvements.
# 2011-03-01 arp-scan 1.8:
* Updated IEEE OUI and IAB MAC/Vendor files. There are now 14707 OUI entries
and 3542 IAB entries.
* Added support for trailer ARP replies, which were used in early versions
of BSD Unix on VAX.
* Added support for ARP packets with both 802.1Q VLAN tag and LLC/SNAP framing.
* The full help output is only displayed if specifically requested with
arp-scan --help. Usage errors now result in smaller help output.
* Added support for Apple Mac OS X with Xcode 2.5 and later. This allows
arp-scan to build on Tiger, Leopard and Snow Leopard.
* Changed license from GPLv2 to GPLv3.
* Added warning about possible DoS when setting ar$spa to the destination IP
address to the help output and man page.
* Added arp-fingerprint patterns for 2.11BSD, NetBSD 4.0, FreeBSD 7.0,
Vista SP1, Windows 7 and Blackberry OS.
* Enabled compiler security options -fstack-protect, -D_FORTIFY_SOURCE=2 and
-Wformat-security if they are supported by the compiler. Also enabled extra
warnings -Wwrite-strings and -Wextra.
* Added new "make check" tests to check packet generation, and packet decoding
and display.
* Modified get-oui and get-iab perl scripts so they will work on systems where
the perl interpreter is not in /usr/bin, e.g. NetBSD.
* Various minor bug fixes and improvements.
# 2008-07-24 arp-scan 1.7:
* new --pcapsavefile (-W) option to save the ARP response packets to a pcap
savefile for later analysis with tcpdump, wireshark or another program that
supports the pcap file format.
* new --vlan (-Q) option to create outgoing ARP packets with an 802.1Q VLAN tag
ARP responses with a VLAN tag are interpreted and displayed.
* New --llc (-L) option to create outgoing ARP packets with RFC 1042 LLC/SNAP
framing. Received ARP packets are decoded and displayed with either
LLC/SNAP or the default Ethernet-II framing irrespective of this option.
* Avoid double unmarshalling of packet data: once in callback, then again in
display_packet().
* New arp-fingerprint patterns for ARP fingerprinting: Cisco 79xx IP Phone
SIP 5.x, 6.x and 7.x; Cisco 79xx IP Phone SIP 8.x.
* Updated IEEE OUI and IAB MAC/Vendor files. There are now 11,697 OUI entries
and 2,386 IAB entries.
# 2007-04-12 arp-scan 1.6:
* arp-scan wiki at http://www.nta-monitor.com/wiki/
This contains detailed documentation on arp-scan, and is intended to be
the primary documentation resource.
* Added support for Sun Solaris. Tested on Solaris 9 (SPARC). arp-scan may
also work on other systems that use DLPI, but only Solaris has been tested.
* New arp-fingerprint patterns for ARP fingerprinting: IOS 11.2, 11.3 and 12.4;
ScreenOS 5.1, 5.2, 5.3 and 5.4; Cisco VPN Concentrator 4.7; AIX 4.3 and 5.3;
Nortel Contivity 6.00 and 6.05; Cisco PIX 5.1, 5.2, 5.3, 6.0, 6.1, 6.2, 6.3
and 7.0.
* Updated IEEE OUI and IAB MAC/Vendor files. There are now 10,214 OUI entries
and 1,858 IAB entries.
* Added HSRP MAC address to mac-vendor.txt.
# 2006-07-22 arp-scan 1.5:
* Reduced memory usage from 44 bytes per target to 28 bytes. This reduces
the memory usage for a Class-B network from 2.75MB to 1.75MB, and a Class-A
network from 704MB to 448MB.
* Reduced the startup time for large target ranges. This reduces the startup
time for a Class-A network from 80 seconds to 15 seconds on a Compaq laptop
with 1.4GHz CPU.
* Added support for FreeBSD, OpenBSD, NetBSD and MacOS X (Darwin). arp-scan
will probably also work on other operating systems that implement BPF, but
only those listed have been tested.
* Improved operation of the --srcaddr option. Now this will change the
source hardware address in the Ethernet header without changing the
interface address.
* Additional fingerprints for arp-fingerprint.
* Improved manual pages.
* Updated IEEE OUI and IAB files. There are now 9,426 OUI entries and 1,568
IAB entries.
# 2006-06-26 arp-scan 1.4:
* Added IEEE IAB listings and associated get-iab update script and --iabfile
option.
* Added manual MAC/Vendor mapping file: mac-vendor.txt and associated
--macfile option.
* New --localnet option to scan all IP addresses on the specified interface
network and mask.
# 2006-06-23 arp-scan 1.3:
* Initial public release. Source distribution only, which will compile and
run on Linux.