arp-fingerprint fingerprints the specified target host using the ARP protocol.
It sends various different types of ARP request to the target, and records which types it responds to.
From this, it constructs a fingerprint string consisting of "1" where the target responded and "0" where
it did not. An example of a fingerprint string is 01000100000. This fingerprint string is then used to
lookup the likely target operating system.
Many of the fingerprint strings are shared by several operating systems, so there is not always a one-to-
one mapping between fingerprint strings and operating systems. Also the fact that a system's fingerprint
matches a certain operating system (or list of operating systems) does not necessarily mean that the
system being fingerprinted is that operating system, although it is quite likely. This is because the
list of operating systems is not exhaustive; it is just what I have discovered to date, and there are
bound to be operating systems that are not listed.
The ARP fingerprint of a system is generally a function of that system's kernel (although it is possible
for the ARP function to be implemented in user space, it almost never is).
Sometimes, an operating system can give different fingerprints depending on the configuration. An
example is Linux, which will respond to a non-local source IP address if that IP is routed through the
interface being tested. This is both good and bad: on one hand it makes the fingerprinting task more
complex; but on the other, it can allow some aspects of the system configuration to be determined.
Sometimes the fact that two different operating systems share a common ARP fingerprint string points to a
re-use of networking code. One example of this is Windows NT and FreeBSD.
arp-fingerprint uses arp-scan to send the ARP requests and receive the replies.
There are other methods that can be used to fingerprint a system using arp-scan which can be used in
addition to arp-fingerprint. These additional methods are not included in arp-fingerprint either because
they are likely to cause disruption to the target system, or because they require knowledge of the
target's configuration that may not always be available.
Most of the ARP requests that arp-fingerprint sends are non-standard, so it could disrupt systems that
don't have a robust TCP/IP stack.