Question(s) about arp ping in context of tcp and ping scans

["Sina Bahram" <sbahram () nc rr com>]

Hi all,

My ip was 192.168.1.103 throughout all of this:

I issued the following command:

nmap -sP 192.168.1.* -v

It said:

Initiating ARP Ping Scan against 103 hosts [1 port/host] at 17:18
The ARP Ping Scan took 4.92s to scan 103 total hosts.

Then it listed them out ... Which I won't copy here, but this is odd ... It
only scanned up to my ip, and then it listed them, and then it did:

Initiating ARP Ping Scan against 152 hosts [1 port/host] at 17:18
The ARP Ping Scan took 5.80s to scan 152 total hosts.

So it did the upper portion passed my IP ... Why is the arp ping scan split
upon one's IP?

So then I did:

Nmap -sT -p80 192.168.1.* -vv

I did -p80 just to speed things up, no other reason. So I got:

Initiating ARP Ping Scan against 103 hosts [1 port/host] at 17:22
The ARP Ping Scan took 2.63s to scan 103 total hosts.
Initiating Connect() Scan against 2 hosts [1 port/host] at 17:22

Followed by the connect scan results on those two hosts, and then I got:

Initiating ARP Ping Scan against 152 hosts [1 port/host] at 17:22
The ARP Ping Scan took 15.39s to scan 152 total hosts.
Initiating Connect() Scan against quark.nc.rr.com (192.168.1.103) [1 port]
at 17:22

So, again: we see that it splits it according to the arp scan ... Why is
this?

Also, why does the arp ping on the tcp scan take so much longer for the
upper portion? I did this a few times in a row, and I always got that arp
ping on the upper portion taking about 3 to 5 times longer with a tcp scan,
than with plain old ping scan, but both supposedly use the same arp ping.

Thanks for any advice.

Take care,
Sina



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev