Layer 2 discovery - ARP

Nmap is another option for performing automated layer 2 discovery scans with a single command. The -sn option is referred to by Nmap as a ping scan. Although the term ping scan naturally leads you to think that layer 3 discovery is being performed, it is actually adaptive:

1. Assuming that addresses on the same local subnet are specified as the argument, a layer 2 scan can be performed with the following command:

1. This command will send an ARP request to the LAN broadcast address and will determine whether the host is alive, based on the response that is received. Alternatively, if the command is used against an IP address of a host that is not alive, the response will indicate that the host is down:

1. This command can be modified to perform layer 2 discovery on a sequential series of IP addresses, using dash notation. To scan a full /24 range, you can use 0-255:

1. Using this command will send out broadcast ARP requests for all hosts within that range and will determine each host that is actively responding. This scan can also be performed against an input list of IP addresses, using the -iL option:

1. When the -sn option is used, Nmap will first attempt to locate the host using layer 2 ARP requests, and it will only use layer 3 ICMP requests if the host is not located on the LAN. Notice how an Nmap ping scan performed against the hosts on the local network (on the 172.16.36.0/24 private range) returns MAC addresses. This is because the MAC addresses are returned by the ARP response from the hosts. However, if the same Nmap ping scan is performed against remote hosts on a different LAN, the response will not include system MAC addresses:

1. When performed against a remote network range (public range 74.125.21.0/24), you can see that layer 3 discovery was used, as no MAC addresses were returned. This demonstrates that when possible, Nmap will automatically leverage the speed of layer 2 discovery, but when necessary, it will use routable ICMP requests to discover remote hosts on layer 3. This can also be seen if you use Wireshark to monitor traffic while an Nmap ping scan is performed against hosts on the local network.

1. In the following screenshot, you can see that Nmap utilizes ARP requests to identify hosts on the local segment: