CODEWITHSUNDEEP
nmap
David Jone
David Jone

Reputation: 23

The difference between nmap option, scan types and ping options

scan types, begin with -s, such as nmap -s* target_host ping options, begin with -P, such as nmap -P* target_host

I have used wireshark and nmap to see underlying actions options -P*.

When I run both command 

nmap -p9527 target_host

and 

nmap -sP target_host

I found that the only distinction is that -sP cannot be used with port scan option, such as -p9525.

I wanna to clarify, whether both of two option -s* and -P* are used to detect the liveness of target host.

By the way, my environment is on kali which is running on virtual host. I used tcpdump to catch packets and wireshark to analyze.And I run commands as root user.

Upvotes: 1

Views: 5559

Answers (2)

bonsaiviking
bonsaiviking

Reputation: 6005

There are many phases to an Nmap scan, and the two that these options refer to are host discovery and port or protocol scan.

The -P* family of options are all different ways to do host discovery. The default scan (if none of these is chosen) performs host discovery using the best method available. The -Pn option tells Nmap to skip this phase altogether. It used to be documented as -PN, but we changed it to conform with the other "turn this feature off" options. Before that, it was -P0, but there was confusion between that and -PO.

The -s* family of options are all different types of port and protocol scans. The default scan is a TCP port scan with either -sS or -sT, depending on privilege level. The -sn option tells Nmap to skip this phase altogether. It used to be documented as -sP (for "Ping scan"), but that caused the kind of confusion that you and others have reported.

Upvotes: 1

mc0e
mc0e

Reputation: 2820

Usually aping scan of some sort is done first, and then the hosts that have been found to be up are scanned for open ports.

You can turn the ping scan off (-Pn). There are also many types of ping scans, including TCP on an optionally specified port. Which varieties of scan are availabledepends on whether you have root privileges. IF you are not root, then ICMP echo ping is not available.

nmap -p9527 target_host with no other options will first ping the target, and then scan TCP port 9527.

A ping scan with sP (i.e. ping only) is only for testing which hosts are up. The port scan is omitted. So yeah, it's incompatible with specifying which ports should be scanned.

Upvotes: 1

Related Questions