ICMP Timestamp Ping
The -PP option performs an ICMP timestamp ping.
Usage syntax: nmap -PP [target]
While most firewalled systems are configured to block ICMP echo requests, some
improperly configured systems may still reply to ICMP timestamp requests. This
makes -PP useful for attempting to solicit responses from firewalled targets.
ICMP Address Mask Ping
The -PM option performs an ICMP address mask ping.
Usage syntax: nmap -PM [target]
This unconventional ICMP query (similar to the -PP option) attempts to ping the
specified host using alternative ICMP registers. This type of ping can occasionally
sneak past a firewall that is configured to block standard echo requests.
IP Protocol Ping
The -PO option performs an IP protocol ping.
Usage syntax: nmap -PO[protocol1,protocol2,etc] [target]
Performing an IP protocol ping
An IP protocol ping sends packets with the specified protocol to the target. If no
protocols are specified the default protocols 1 (ICMP), 2 (IGMP), and 4 (IP-in-IP) are
used. To ping using a custom set of protocols, use the following syntax:
nmap -PO1,2,4,etc.
NOTE
A complete list of Internet Protocol numbers can be found online at www.iana.org/assignments/protocol-numbers/
ARP Ping
The -PR option instructs Nmap to perform an ARP (Address Resolution Protocol) ping on the specified target.
Usage syntax: nmap -PR [target]
The -PR option is automatically implied when scanning the local network. This type
of discovery is much faster than the other ping methods described in this guide. It
also has the added benefit of being more accurate because LAN hosts can’t block
ARP requests (even if they are behind a firewall).
NOTE
APR scans cannot be performed on targets that are not on your local subnet.
The -PP option performs an ICMP timestamp ping.
Usage syntax: nmap -PP [target]
# nmap -PP 192.168.1.254Performing an ICMP timestamp ping
Starting Nmap 5.00 ( http://nmap.org ) at 2009-08-16 13:27 CDT
Interesting ports on home (192.168.1.254):
Not shown: 998 closed ports
PORT STATE SERVICE
80/tcp open
443/tcp open
http
https
MAC Address: 00:25:3C:5F:5A:89 (2Wire)
Nmap done: 1 IP address (1 host up) scanned in 1.83 seconds
While most firewalled systems are configured to block ICMP echo requests, some
improperly configured systems may still reply to ICMP timestamp requests. This
makes -PP useful for attempting to solicit responses from firewalled targets.
ICMP Address Mask Ping
The -PM option performs an ICMP address mask ping.
Usage syntax: nmap -PM [target]
# nmap -PM 192.168.1.254Performing an ICMP address mask ping
Starting Nmap 5.00 ( http://nmap.org ) at 2009-08-16 13:26 CDT
Interesting ports on home (192.168.1.254):
Not shown: 998 closed ports
PORT STATE SERVICE
80/tcp open
443/tcp open
http
https
MAC Address: 00:25:3C:5F:5A:89 (2Wire)
Nmap done: 1 IP address (1 host up) scanned in 1.92 seconds
This unconventional ICMP query (similar to the -PP option) attempts to ping the
specified host using alternative ICMP registers. This type of ping can occasionally
sneak past a firewall that is configured to block standard echo requests.
IP Protocol Ping
The -PO option performs an IP protocol ping.
Usage syntax: nmap -PO[protocol1,protocol2,etc] [target]
# nmap -PO 10.10.1.48
Starting Nmap 5.00 ( http://nmap.org ) at 2009-08-17 09:38 CDT
Interesting ports on 10.10.1.48:
Not shown: 994 closed ports
PORT STATE SERVICE
21/tcp open
ftp
22/tcp open
ssh
25/tcp open
smtp
80/tcp open
http
111/tcp open
rpcbind
2049/tcp open
nfs
MAC Address: 00:0C:29:D5:38:F4 (VMware)
Performing an IP protocol ping
An IP protocol ping sends packets with the specified protocol to the target. If no
protocols are specified the default protocols 1 (ICMP), 2 (IGMP), and 4 (IP-in-IP) are
used. To ping using a custom set of protocols, use the following syntax:
nmap -PO1,2,4,etc.
NOTE
A complete list of Internet Protocol numbers can be found online at www.iana.org/assignments/protocol-numbers/
ARP Ping
The -PR option instructs Nmap to perform an ARP (Address Resolution Protocol) ping on the specified target.
Usage syntax: nmap -PR [target]
# nmap -PR 192.168.1.254Performing an ARP ping
Starting Nmap 5.00 ( http://nmap.org ) at 2009-08-16 13:16 CDT
Interesting ports on 192.168.1.254:
Not shown: 998 closed ports
PORT STATE SERVICE
80/tcp open
443/tcp open
http
https
MAC Address: 00:25:3C:5F:5A:89 (2Wire)
Nmap done: 1 IP address (1 host up) scanned in 0.81 seconds
The -PR option is automatically implied when scanning the local network. This type
of discovery is much faster than the other ping methods described in this guide. It
also has the added benefit of being more accurate because LAN hosts can’t block
ARP requests (even if they are behind a firewall).
NOTE
APR scans cannot be performed on targets that are not on your local subnet.