A tool that was specifically designed to perform layer 2 discovery is netdiscover.

1. The netdiscover command can be used to scan a range of IP addresses by passing the network range in CIDR notation as an argument while using the -r option.

2. The output generates a table that lists live IP addresses, corresponding MAC addresses, the number of responses, the length of responses, and MAC vendor:

3. The netdiscover command can also be used to scan IP addresses from an input text file. Instead of passing the CIDR range notation as an argument, the -l option can be used in conjunction with the name or path of an input file:
   

After running the command, we see the results displayed in the Terminal window:

4. Another unique feature that sets this tool apart from the others is the capability to perform passive discovery. Broadcasting ARP requests for every IP address in an entire subnet can sometimes trigger alerts or responses from security devices such as intrusion detection systems (IDS) or intrusion prevention systems (IPS). A stealthier approach is to listen for the ARP traffic, as the scanning system naturally interacts with other systems on the network, and then record the data collected from ARP responses. This passive scanning technique can be performed using the -p option:

5. This technique will be significantly slower in gathering information, as the requests have to come in as a result of normal network interactions, but it will also be unlikely to draw any unwanted attention. This technique is much more effective if it is run on a wireless network, as a promiscuous wireless adapter will receive ARP replies intended for other devices.
6. To work effectively in a switched environment, you would need access to SPAN or TAP, or need to overload the CAM tables to force the switch to start broadcasting all traffic.