How does nmap ping/scan a target? [closed]

Question

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.

---

We don’t allow questions about professional server or networking-related infrastructure administration on Stack Overflow. You can edit the question so it’s on-topic for Stack Overflow.

Closed 8 years ago.

Improve this question

My IP address is 172.20.35.3, I'm trying nmap -sn 172.20.35.100 and monitoring the traffic using wireshark. The ping is successful, however wireshark only shows a DNS query request sent from 172.20.35.3 to the DNS server and the DNS replies with no such name! Monitoring the traffic on my target IP address shows no incoming frames. So I'm curious about where nmap is getting the information from (MAC address for instance).

P.S: I thought nmap might be simply searching in the ARP table for a suitable entry. So I tried again after flushing the ARP table, but the result was the same.

Answer 1

Nmap's host discovery engine is robust and uses many kinds of probes to determine whether a host is up on a network. The term "ping" is used for this kind of activity, which can be confusing, since it usually refers to ICMP Echo Request (Type 8 Code 0) and Echo Response (Type 0 Code 0).

What is most likely happening here is that Nmap is sending an ARP request for the target IP address, and marking it as "up" when it gets a positive response. This is the method Nmap uses when running with sufficient privilege against addresses in your interface's broadcast domain.

For other hosts, the default host discovery probes are (in order): ICMP Echo Request, TCP SYN to port 443, TCP ACK to port 80, and ICMP Timestamp Request. Note that if you are running without root/administrator privileges (or using the --unprivileged option), host discovery is done with a TCP SYN and full handshake to port 80 and 443, regardless of broadcast domain.

The DNS request is sent for all hosts that Nmap finds up. You can disable it with the -n argument.