search

v-byte-cpu / sx

:vulcan_salute: Fast, modern, easy-to-use network scanner
MIT License
1.44k stars 109 forks source link

sx arp finds fewer results compared to arp-scan #141

Closed seriousm4x closed 11 months ago

seriousm4x commented 11 months ago

While playing around with sx for the first time, I noticed that sx finds fewer devices on the network than arp-scan. Are there any major differences in how they operate or what could cause this?

Mac addresses are replaced with ---. sx:

~/r/sx ❯❯❯ ./sx arp 10.1.1.0/24
10.1.1.2             ---    Raspberry Pi Trading Ltd
10.1.1.22            ---    Philips Lighting BV
10.1.1.3             ---    ASUSTek COMPUTER INC.
10.1.1.21            ---    TP-LINK TECHNOLOGIES CO.,LTD.
10.1.1.29            ---
10.1.1.232           ---    Brother Industries, LTD.
10.1.1.1             ---    AVM Audiovisuelles Marketing und Computersysteme GmbH
10.1.1.3             ---    ASUSTek COMPUTER INC.
10.1.1.19            ---

arp-scan:

~/r/sx ❯❯❯ arp-scan -g 10.1.1.0/24
Interface: enp5s0, type: EN10MB, MAC: ---, IPv4: 10.1.1.23
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
10.1.1.2    --- Raspberry Pi Trading Ltd
10.1.1.3    --- ASUSTek COMPUTER INC.
10.1.1.1    --- AVM Audiovisuelles Marketing und Computersysteme GmbH
10.1.1.21   --- TP-LINK TECHNOLOGIES CO.,LTD.
10.1.1.22   --- Philips Lighting BV
10.1.1.29   --- QEMU
10.1.1.18   --- Espressif Inc.
10.1.1.19   --- Espressif Inc.
10.1.1.72   --- (Unknown: locally administered)
10.1.1.4    --- AVM Audiovisuelles Marketing und Computersysteme GmbH
10.1.1.232  --- Brother Industries, LTD.
10.1.1.253  --- AVM Audiovisuelles Marketing und Computersysteme GmbH
10.1.1.254  --- AVM Audiovisuelles Marketing und Computersysteme GmbH
10.1.1.229  --- Apple, Inc.

15 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.956 seconds (130.88 hosts/sec). 14 responded
v-byte-cpu commented 11 months ago

Hi @seriousm4x you can try running the utility with the increased option --exit-delay. By default sx waits only 300ms for last response packets. Anyway try restarting the utility several times and compare the results, sx sends only one arp request packet per ip address (it was done intentionally), so maybe some devices did not have time to send arp responses properly.

seriousm4x commented 11 months ago

Thanks! Raising the exit-delay to 2s definitely increases the count.

Default:

~/r/sx ❯❯❯ for i in {1..10}; do ./sx arp 10.1.1.0/24 | wc -l; done
8
9
8
7
10
10
9
10
8
10

2s:

~/r/sx ❯❯❯ for i in {1..10}; do ./sx arp --exit-delay 2s 10.1.1.0/24 | wc -l; done
12
13
14
14
15
12
13
14
13
16