Thursday, June 25, 2009

ARP Scan versus Ping Sweep

Today I had a user ask me what the difference was between ARP Scan and Ping Sweep (NetScanner) and why he gets different results when running them on his 192.168.0.x subnet.

Here was my answer:

There is a difference between ARP Scan and Ping Sweep. When you do an ARP Scan of a subnet, all devices that communicate with IPv4 on that subnet must respond to ARP packets. If they don't respond they cannot communicate with any other machine. This even applies to devices that are running firewalls and do not respond to ICMP echo request packets (ping packets).

When you use Ping Sweep on that same subnet, you are sending ICMP echo request packets to every device. If the device (computer) is running a third party 'personal' firewall or even something like the built-in Windows Firewall, it may not respond depending on the firewall settings. So you will see fewer devices respond with Ping Sweep than with ARP Scan.

They both have their uses because ARP Scan does not work once it crosses a router to another subnet or WAN. ICMP packets generated by Ping Sweep are routed unless deliberately blocked, even across the internet.

No comments: