Discover Network Hosts with NetDiscover

January 5, 2016 | Views: 25181

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

NetDiscover is a very neat tool for finding hosts on either wireless or switched networks. It can be used both in active or in passive mode.

ARP stands for Address Resolution Protocol and it allows the discovery of which host has which MAC address. The MAC address is the physical address of the hosts network card.

NetDiscover comes preinstalled with Kali Linux and is quite easy to use.


In passive mode, the tool is silent. It doesn’t send any data at all – it simply sniffs the network for ARP requests.

On my Kali Linux virtual host, I can simply ask NetDiscover to run in passive mode by entering the following command:

> netdiscover -i eth0 -p

It’s important to know that ARP requests are not routed on a network, so if you’re sing Kali Linux as a virtual machine with NAT, it might not work as expected. You should have your network in bridged mode to sniff ARP requests on the network you are connected to.

Also, when running in passive mode, hosts will appear over time as their ARP requests are picked up by NetDiscover.

If you run Netdiscover in active mode, it can discover every host on a network by sending ARP requests. This is more efficient than using ICMP (Ping packets), as ICMP can be filtered by a host’s local firewall, while ARP requests simply cant be blocked.

If ARP were to be blocked, the host would not be able to communicate on an Ethernet network at all. Using ARP is a very neat way of finding all online hosts on a network.

To run NetDiscover in active mode, remove the -p flag; there are a few options for active scanning. If you are unsure of what network you are on, you can test several networks to see if there’s any traffic.

  • The -r flag allows you to specify this, as an example -r
  • If you do not specify this, NetDiscover will use the auto scan feature to scan the most common internal networks.
  • If you’re using the auto scan feature, you should also probably use the -f flag for fast. This tells NetDiscover not to try every IP on every network specified but instead try a few ones.
  • Once you see ARP requests for a particular network, you can run NetDiscover again for that particular network without the -f flag and use the -r flag to specify which particular network you want to scan every IP for.

Here’s an example of running Netdiscover in active mode:

> netdiscover -i eth0 -r -f


The manpage is available at man netdiscover and the webpage for NetDiscover can be found at

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. i should not forget about this one

Page 3 of 3«123
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?