Netdiscover: ARP Host Discovery for Penetration Testing

During the network reconnaissance phase of a penetration test, one of the most practical questions is also one of the simplest: “what devices are on this local network around me?” Netdiscover is a lightweight, fast tool that answers exactly that question through ARP discovery, and it remains a staple of any penetration tester’s toolkit during internal network engagements and laboratory exercises.

Legal & ethical scope: Use Netdiscover only on networks for which you have explicit written authorization (Rules of Engagement) or on isolated lab environments (VMs, host-only networks). Scanning third-party networks without permission may violate the Computer Fraud and Abuse Act (CFAA) in the United States, the Computer Misuse Act in the United Kingdom, equivalent statutes in other jurisdictions, and the GDPR where personal data is involved.

What is Netdiscover

Netdiscover is an open-source tool for active and passive host discovery on local networks. It is built on top of the libnet and libpcap libraries and relies on ARP requests to detect live devices within a LAN segment. In passive mode it only sniffs existing traffic — sending no packets at all — which makes it ideal for low-noise network mapping when you want to avoid appearing in IDS/IPS logs with active ARP probes.

In addition, Netdiscover reads the OUI (Organizationally Unique Identifier) table to map each MAC address to its manufacturer — a small but useful detail that supports quick device fingerprinting (router, IoT appliance, printer, VMware or VirtualBox virtual machine, and so on).

Where it fits in the pentest methodology

ARP discovery sits firmly in the Active Reconnaissance phase, specifically inside the Network Discovery step of an internal penetration test or a post-exploitation scenario. It maps to MITRE ATT&CK T1018 — Remote System Discovery (tactic: Discovery, TA0007) when performed after initial access on an internal host.

• Before Netdiscover: you have already gained access to an internal host (for example, on a lab VM or during an authorized engagement).
• After Netdiscover: targeted port scanning with Nmap, service enumeration, and vulnerability assessment against the live hosts you identified.

Installation

On Kali Linux, Parrot OS, and other offensive-security distributions, Netdiscover is usually pre-installed. On a clean Debian or Ubuntu lab VM:

sudo apt update
sudo apt install -y netdiscover

Confirm the installation and the version:

netdiscover -v
# Netdiscover 0.10

Core Netdiscover flags

Flag	Meaning
-i <iface>	Select the network interface (e.g. eth0, wlan0).
-r <range>	Scan a specific range in CIDR notation (e.g. 192.168.56.0/24).
-l <file>	Scan a list of ranges read from a file.
-p	Passive mode — sniff only, no ARP requests sent.
-m <file>	Check known MAC addresses against a file.
-F <filter>	Custom pcap filter (default: arp).
-s <time>	Delay (ms) between ARP requests — useful to avoid flooding the wire.
-c <count>	How many times each ARP request is sent (for lossy networks).
-f	Fast scan mode.
-P	Parsable output — exits after the active scan completes.
-L	Same as -P but continues passive listening.
-N	Skip the header (only with -P or -L).
-S	“Hardcore” mode — no delay between probes.

Practical examples (lab environment)

All of the following examples run inside an isolated lab network — for instance, VirtualBox Host-Only at 192.168.56.0/24 or a VMware Custom network at 10.10.10.0/24. Netdiscover requires root privileges for raw socket access.

1. Automatic discovery (auto-scan)

sudo netdiscover

With no parameters, Netdiscover auto-detects the active interface and scans common RFC1918 private ranges. Expected lab output:

 Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts

 4 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 240
 _____________________________________________________________________________
   IP            At MAC Address      Count     Len  MAC Vendor / Hostname
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:0e     1       60   Unknown vendor
 192.168.56.100  08:00:27:1a:2b:3c     1       60   PCS Systemtechnik GmbH
 192.168.56.101  08:00:27:4d:5e:6f     1       60   PCS Systemtechnik GmbH
 192.168.56.254  08:00:27:7a:8b:9c     1       60   PCS Systemtechnik GmbH

2. Targeted scan of a specific range

sudo netdiscover -i eth0 -r 192.168.56.0/24

Specifying both interface and subnet explicitly is the only safe way to avoid noisy probes against networks that are outside the engagement scope.

3. Passive mode (stealth listening)

sudo netdiscover -i eth0 -p

The -p flag sends nothing — it only listens to existing ARP traffic. This is the lowest-noise mode and is the right choice for authorized red team engagements that explicitly require avoiding ARP-based detections in the SIEM.

4. Parsable output for a tool pipeline

sudo netdiscover -i eth0 -r 192.168.56.0/24 -P -N | tee hosts.txt
# Then extract only IPs for use with Nmap:
awk '{print $1}' hosts.txt > live_hosts.lst
nmap -iL live_hosts.lst -sV -T3

This pipeline is a typical example of combining Netdiscover (discovery) with Nmap (service enumeration) during an authorized internal assessment.

Common mistakes and pitfalls

• Wrong interface: Running on a wireless interface that is not connected to a network will produce zero ARP traffic. Use ip a or ifconfig to confirm the correct iface.
• Out-of-scope scanning: Auto-scan can reach subnets that are not part of the engagement. Always pin the scope with an explicit -r range.
• Requires root: Raw sockets need root or the CAP_NET_RAW capability. Always run with sudo.
• ARP does not cross routers: Netdiscover operates only inside the same Layer-2 broadcast domain. You will not see hosts behind a router or firewall.
• VPN tunnels: On tap/tun interfaces ARP may not be present — fall back to nmap -sn with ICMP/TCP discovery.

Defensive / Blue team perspective

From a defender’s point of view, mass ARP requests are relatively easy to detect:

• Network IDS: Suricata or Zeek rules that flag ARP scans (for example, arp.opcode == 1 at a high rate from a single MAC).
• Switch port security: Limit the MAC count per port plus DHCP snooping and Dynamic ARP Inspection (DAI) on enterprise switches.
• Endpoint monitoring: Sysmon Event ID 22 covers DNS lookups rather than ARP, but PowerShell or process-level monitoring will catch the execution of tools such as netdiscover.
• Honeypots: Conpot or T-Pot deployed on unused IPs will attract ARP probes from reconnaissance tools and provide early warning.

Best practices

• Always obtain written authorization (Rules of Engagement) before any scan.
• Pin the scope with an explicit range via -r instead of relying on auto-scan.
• Use passive mode (-p) when the engagement requires low noise.
• Archive output with timestamps for the final report (-P plus redirect to a file).
• Combine with Nmap, arp-scan, or Responder for a more complete network picture.

Summary

Netdiscover is one of the most practical tools for fast ARP-based host discovery on local networks. It combines speed, ease of use, and a passive mode that reduces the detection footprint. On every authorized internal pentest or lab exercise it deserves a place in your recon workflow — used, as always, with a clear scope and proper legal cover.

Next steps

If you want to dig deeper into network reconnaissance and offensive security, see also:

• All articles in the Information Gathering category
• OWASP Amass: subdomain enumeration and attack surface mapping
• Recon-ng — modular OSINT framework (Part 1)
• theHarvester: fast OSINT recon for subdomains, emails & hosts
• External reference: MITRE ATT&CK — Discovery (TA0007)

For a complete penetration testing curriculum, see the Audax Cybersecurity Academy.