scanning localhost through ARP poisoning

["Mike ." <dmciscobgp () hotmail com>]

years ago this is how i scanned localhost (windows). you could simply find an unused ip on your subnet and do a quick 
gratuitous ARP request and grab that ip and use it for your -S source. the command would be something like 
nmap -n -P0 -T4 -e eth0  (port range) -S (ip you have poisoned) (your ip)
i am asking about this because it has been YEARS since i touched nmap and just d/led it today so i am not aware of any 
changes that might have broke that method. can it still be done? i ran it for more than 20 minutes using ARP-sk to get 
my ARP poison and i could not get nmap to notice the "borrowed" ip. like i said, i did this all the time back in the 
day with no issues. i could do Syn scans or even UDP. only way i can scan myself now is with a connect() and it seems 
to take forever after it finds the first few open ports
i am behind a NATed router  (192 blah), so i have no idea if the ARP poison can still work. i injected random 192 
addresses and got nowhere. if you can help with this, i would appreciate it
thank youm|ke                                     
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/