Nmap -sn: scan or no scan?
You're right that the documentation is worded poorly. -sn
means "skip the port scan phase," and was previously available as -sP
, with the mnemonic "Ping scan".
Nmap scans happen in phases. These are:
- Name resolution
- NSE script pre-scan phase
- Host discovery ("ping" scan, but not necessarily ICMP Echo request)
- Parallel reverse name resolution
- Port or Protocol scan
- Service version detection
- OS fingerprinting
- Traceroute
- NSE portrule and hostrule script scanning phase
- NSE post-scan phase
Note that not all these phases get executed in every scan, depending on the arguments. This scan:
nmap -sn scanme.nmap.org
will run phases 1, 3, and 4.
EDIT: I corrected the documentation you referred to in r33790:
This option tells Nmap not to do a port scan after host discovery, and only print out the available hosts that responded to the host discovery probes.
In its standard mode, nmap does two different types of scan: a host scan, to determine which hosts are available for further port scanning, and a port scan, which reveals the status of ports on available machines. -sn
does no port scan, but it does a host scan -- this is particularly useful when scanning a range with nmap, where it will print out those hosts that responded to the scan (which could, for example, reveal some of the hosts available on a certain subnet).
For example:
$ nmap -sn 192.168.0.0/24
Starting Nmap 6.40 ( http://nmap.org ) at 2013-08-23 17:54 CEST
Nmap scan report for 192.168.0.11
Host is up (0.051s latency).
Nmap scan report for 192.168.0.37
Host is up (0.063s latency).
Nmap scan report for 192.168.0.65
Host is up (0.016s latency).
Nmap scan report for 192.168.0.85
Host is up (0.00090s latency).
Nmap scan report for 192.168.0.149
Host is up (0.024s latency).
Nmap scan report for 192.168.0.202
Host is up (0.021s latency).
Nmap scan report for 192.168.0.253
Host is up (0.042s latency).
Nmap done: 256 IP addresses (7 hosts up) scanned in 22.26 seconds
Yes, -sn
is a ping scan for host discovery, and does not do any detailed port scan (which ports are open on the host). These are 2 different scans that the man page is talking about. Your interpretation is pretty close.