List all MAC addresses and their associated IP addresses in my local network (LAN)

You can use the Nmap utility for this. Nmap is a free network scanner utility.

Try just:

sudo nmap -sn 192.168.1.0/24

Please substitute your network identifier and subnet mask.

How to find a network ID and subnet mask

Use command ip a:

bash~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host valid_lft forever preferred_lft forever
2: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether c4:85:08:94:ee:9a brd ff:ff:ff:ff:ff:ff
    inet 192.168.3.66/24 brd 192.168.3.255 scope global wlan0
    inet6 fe80::c685:8ff:fe94:ee9a/64 scope link valid_lft forever preferred_lft forever

Here at point 2, I have the wlan0 device. It says inet 192.168.3.66/24 brd 192.168.3.255 scope global wlan0, IP address: 192.168.3.66, subnet mask: 24. Network ID is 192.168.3.0, just substitute the last number by 0.

Or as man nmap says:

sudo nmap -sn 192.168.1.0/24

Here is a little quote from the man page, nmap(1):

-sn (No port scan)

This option tells Nmap not to do a port scan after host discovery, and only print out the available hosts that responded to the scan. This is often known as a “ping scan”, but you can also request that traceroute and NSE host scripts be run. This is by default one step more intrusive than the list scan, and can often be used for the same purposes. It allows light reconnaissance of a target network without attracting much attention. Knowing how many hosts are up is more valuable to attackers than the list provided by a list scan of every single IP address and host name.

Systems administrators often find this option valuable as well. It can easily be used to count available machines on a network or monitor server availability. This is often called a ping sweep, and is more reliable than pinging the broadcast address because many hosts do not reply to broadcast queries.

The default host discovery done with -sn consists of an ICMP echo request, TCP SYN to port 443, TCP ACK to port 80, and an ICMP timestamp request by default. When executed by an unprivileged user, only SYN packets are sent (using a connect call) to ports 80 and 443 on the target. When a privileged user tries to scan targets on a local Ethernet network, ARP requests are used unless --send-ip was specified. The -sn option can be combined with any of the discovery probe types (the -P* options, excluding -Pn) for greater flexibility. If any of those probe type and port number options are used, the default probes are overridden. When strict firewalls are in place between the source host running Nmap and the target network, using those advanced techniques is recommended. Otherwise hosts could be missed when the firewall drops probes or their responses.

In previous releases of Nmap, -sn was known as -sP.

arp will slowly return you a list of active MAC addresses and IPs or their hostnames if they have one. If you want it to go faster, you can use arp -n which should skip the DNS lookups. If you need to parse it into something arp -an will skip the fixed width columns.

$ arp
Address                  HWtype  HWaddress           Flags Mask            Iface
10.10.0.11               ether   00:04:ff:ff:ff:d0   C                     eth0
10.10.0.16               ether   00:04:ff:ff:ff:a6   C                     eth0
raspbmc.local            ether   00:1f:ff:ff:ff:9c   C                     eth0
10.10.0.19               ether   00:04:ff:ff:ff:c9   C                     eth0
10.10.0.12               ether   bc:f5:ff:ff:ff:93   C                     eth0
10.10.0.17               ether   00:04:ff:ff:ff:57   C                     eth0
10.10.0.1                ether   20:4e:ff:ff:ff:30   C                     eth0
HPF2257E.local           ether   a0:b3:ff:ff:ff:7e   C                     eth0
10.10.0.15               ether   00:04:ff:ff:ff:b9   C                     eth0
tim                      ether   00:22:ff:ff:ff:af   C                     eth0
10.10.0.13               ether   60:be:ff:ff:ff:e0   C                     eth0

Otherwise, your router should be able to give you an idea of the active devices(most do).

Edit Per davidcl's comment, this answer isn't as perfect as I'd first hoped.

arp relies on previous contact of some sort to work. However in my opinion modern devices are all so talkative (you should really watch wireshark — it's an education) at broadcast level that it's unlikely a device would be present on the network without at least replying to a broadcast. (To be sure you can ping all devices on the network with 10.10.0.255 first and then you will likely get 90+% of of devices.)

To give you some sort of idea of what I mean, 10.10.0.16 above is our PVR. There's no direct interaction between my PC and the PVR and there aren't any services running on the PVR (no UPNP/DLNA either).

Just to play through the arguments quickly...

• But what about hackers in my network?!1
  They can block ICMP pings too. They can block all responses to every type of scan.
• Oh but surely nmap is still best possible solution
  When run here, it's still missing out four devices. Four devices that are active on the network. Either they're not responding to the pings or nmap isn't waiting long enough for them to respond... I don't know. nmap is a great tool (especially for the port scanning you might want to do next) but it's still a little clumsy (and a little slow) for this problem. And don't call me Shirley.

I use arp-scan for this:

$ sudo arp-scan -l
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.8.1 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.2.1     ec:1a:59:61:07:b2       (Unknown)
192.168.2.50    90:59:af:3d:6d:bc       (Unknown)
192.168.2.51    3c:97:0e:48:22:12       (Unknown)
192.168.2.52    00:18:31:87:8f:b0       Texas Instruments

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.8.1: 256 hosts scanned in 1.282 seconds (199.69 hosts/sec). 4 responded

You can use arp-scan.

Install using this command:

sudo apt-get install arp-scan

To list all IP addresses and associated MAC addresses, use:

sudo arp-scan --interface=eth0 --localnet

The output will look like this:

Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.8.1 with 16777216 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.1.3 38:60:77:29:31:36   (Unknown)
192.168.1.8 4c:72:b9:7c:bb:7e   (Unknown)
192.168.1.110   00:15:17:5f:d2:80   Intel Corporate
192.168.1.111   00:ff:88:5f:fd:f0   (Unknown)
192.168.1.153   00:15:17:5f:d2:82   Intel Corporate
192.168.1.180   52:54:00:70:04:02   QEMU
192.168.1.199   52:54:00:fe:7f:78   QEMU

GUI

You can try avahi-discover .

1. Install it with this command (or by clicking the above link):

    sudo apt-get install avahi-discover
   

2. Run Avahi Zeroconf Browser or avahi-discover from a terminal.

3. You should see a window with a list of devices on your local network.
   The MAC address will be the string in the square brackets.

Command line

You can use this command in a terminal:

avahi-browse -a -t -d local

It is installed by default.

1. First do a scan of the network to see which hosts are reachable/online using nmap -sn 1.2.3.4/24 or fping -g 1.2.3.4/24

2. Then query the MAC address corresponding to the IP address using arping. Pseudo-code ahead:

   for i in $(cat list-of-reachable-hosts)
   do 
       arping $i
   done
   

3. Cheatery: consult the arp-cache of your local switch; that should give you a nice overview...

In cases that the NetBIOS protocol is supported, I prefer to use

nbtscan 192.168.1.1-192.168.1.255.

I was intrigued by this post. I've had the need for this.

I wrote a shell script that parses the arp output using awk statements and generates HTML output. If you execute the script and redirect the output to an HTML file, you are left with an HTML file that shows the IP, the full MAC address, and a link to the IEEE OUI lookup page. This helps in determining the client by way of NIC manufacturer.

printf "<html>\n<title>LAN IPs and their MACs</title>\n<body>\n"
arp -a | awk '{print $2,$4}' | awk -F'[().: ]' '{print $2"."$3"."$4"."$5,$6,$7":"$8":"$9":"$10":"$11":"$12,"<a href=\"http://standards.ieee.org/cgi-bin/ouisearch?"$7$8$9"\">IEEE OUI Lookup "$7"-"$8"-"$9"</a><br>"}'
printf "\n</body>\n</html>\n"

It helps to execute an nmap scan on your LAN first so you have entries in the ARP table. Hopefully the formatting translated. You could spruce this up to have the text in a table format.

After Some work and search I'v discovered this command:

nmap -sP -PE -PA21,23,80,3389 192.168.1.*

nmap: Network exploration tool and security / port scanner

-sP (Skip port scan) . This option tells Nmap not to do a port scan after host discovery, and only print out the available hosts that responded to the scan. This is often known as a “ping scan”, but you can also request that traceroute and NSE host scripts be run. This is by default one step more intrusive than the list scan, and can often be used for the same purposes. It allows light reconnaissance of a target network without attracting much attention. Knowing how many hosts are up is more valuable to attackers than the list provided by list scan of every single IP and host name.

-PE; -PP; -PM (ICMP Ping Types) . In addition to the unusual TCP, UDP and SCTP host discovery types discussed previously, Nmap can send the standard packets sent by the ubiquitous ping program. Nmap sends an ICMP type 8 (echo request) packet to the target IP addresses, expecting a type 0 (echo reply) in return from available hosts.. Unfortunately for network explorers, many hosts and firewalls now block these packets, rather than responding as required by RFC 1122[2]. For this reason, ICMP-only scans are rarely reliable enough against unknown targets over the Internet. But for system administrators monitoring an internal network, they can be a practical and efficient approach. Use the -PE option to enable this echo request behavior.

-A (Aggressive scan options) . This option enables additional advanced and aggressive options.

21,23,80,3389 Ports to search through

192.168.1.* Range of IPs. replace with yours

After getting tired of using nmap and ARP combo, I created this small program which queries all MAC addresses for a given IP range: https://github.com/drkblog/findmacs