Why can't I arping the direct broadcast of the LAN to populate the arp table?

Solution 1:

ARP (over Ethernet networks) is used to discover the Ethernet MAC address associated to the IP address of the target. An ARP request is always for a single target at a time. It doesn't matter for the explanation, but it's done initially as an Ethernet broadcast (FF:FF:FF:FF:FF:FF) so the not-yet-known target can receive it, and once the target is known, may be sent as a targeted unicast to refresh the cache.

In the LAN 10.10.11.0/24 there is no system with the address 10.10.11.255, because it's by convention this LAN's directed broadcast address: when an IP datagram uses this address as destination, the Ethernet frame encapsulating it automatically gets for destination the Ethernet broadcast address (FF:FF:FF:FF:FF:FF) so that all systems receive it. That means that:

  • no host will send such ARP request or it is misbehaving, because it doesn't have to resolve any unicast MAC address when it already knows what destination MAC address to use when sending to an IP broadcast address: the broadcast Ethernet address FF:FF:FF:FF:FF:FF
  • no host will have this IP address (ie: use as source) or it is misconfigured (eg of misconfiguration: this IP address could have been affected to it without being considered as a broadcast address, probably because there's a different LAN netmask, like 10.10.11.255/21)
  • thus no ARP reply will ever be seen for this IP address even if an ARP request incorrectly asks for it.

So in a network where all systems are correctly configured, sending an ARP to the IP LAN broadcast address just makes no sense and will result in no answer because there's nothing present to answer it.

In a nutshell: you can't with a single arping command, you'll have to loop for it.