ARP scan on Mac OS, only the gateway MAC is shown

[Giuliano <giuliano () 108 bz>]

Hi Guys,

  I'm on Mac OS (Lion 10.7.1), trying to get a list of live MAC
addresses on the connected network segment... nmap is being run as
root, across wireless.
When I probe the default gateway, everything looks fine:

# ./nmap-5.51/nmap -e en1 --send-eth -sP -PR 10.0.0.1
Host is up (0.0017s latency).
MAC Address: 00:64:DE:AD:BE:EF (Cisco Systems)

When I try to do the same on another host:

# ./nmap-5.51/nmap -e en1 --send-eth -sP -PR 10.0.0.234
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn

Turning on verbose/debug reveals that nmap isn't even attempting to do
ARP, as if host .234 was on another ethernet segment. But --iflist
shows:

************************INTERFACES************************
DEV (SHORT) IP/MASK TYPE UP MTU MAC
lo0 (lo0) 127.0.0.1/8 loopback up 16384
en1 (en1) 10.0.0.36/24 ethernet up 1500 xx:xx:xx:xx:xx:xx
**************************ROUTES**************************
[..a bunch of routes..]
127.0.0.0/8 lo0 127.0.0.1
0.0.0.0/0 en1 10.0.0.1

If I change the -PR in -PE, the host reports as UP but I'm still
seeing no ARP going on... A single ICMP packet is sent to the default
gateway, using the gateway's MAC. A response is received, with the
target host's MAC as source.
I tried different nmap versions, with/without the builtin libcap, as
root or as a normal user, etc. Needless to say, on Linux I've got no
issues whatsoever.
How nmap could possibly get confused about what networks are connected?
thanks,
--
Giuliano
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/