Add the --disable-arp-ping option.

This option disables implicit ARP and ND host discovery (the implicit
discovery that would happen even if you used -Pn or IP-based discovery.)

CHANGELOG

@@ -1,4 +1,13 @@
 # Nmap Changelog ($Id$); -*-text-*-
+
+o Added a new --disable-arp-ping option. This option prevents Nmap
+  from implicitly using ARP or ND host discovery for directly
+  connected Ethernet targets. This is useful in networks using proxy
+  ARP, which make all addresses appear to be up using ARP scan. The
+  previously recommended workaround for this situation, --send-ip,
+  didn't work on Windows because there are not raw sockets on Windows.
+  [David Fifield]
+
 o [NSE] Added support for decoding OSPF Hello packets to broadcast-listener.
   [Hani Benhabiles]
 

docs/refguide.xml

@@ -508,7 +508,7 @@ you would expect.</para>
           
           <para>For machines on a local ethernet network, ARP
           scanning will still be performed (unless
-          <option>--send-ip</option> is specified) because Nmap needs
+          <option>--disable-arp-ping</option> or <option>--send-ip</option> is specified) because Nmap needs
           MAC addresses to further scan target hosts. In previous
           versions of Nmap, <option>-Pn</option> was
           <option>-P0</option><indexterm><primary><option>-P0</option></primary><seealso><option>-Pn</option></seealso></indexterm>
@@ -865,7 +865,7 @@ you would expect.</para>
           <option>-PS</option>) are specified, Nmap uses ARP instead
           for any of the targets which are on the same LAN.  If you
           absolutely don't want to do an ARP scan, specify
-          <option>--send-ip</option>.</para>
+          <option>--disable-arp-ping</option>.</para>
           
           <para>For IPv6 (-6 option), <option>-PR</option> uses ICMPv6
           Neighbor Discovery instead of ARP. Neighbor Discovery, defined
@@ -874,6 +874,28 @@ you would expect.</para>
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term>
+        <option>--disable-arp-ping</option> (No ARP or ND Ping)
+          <indexterm><primary><option>--disable-arp-ping</option></primary></indexterm>
+        </term>
+        <listitem>
+
+	  <para>Nmap normally does ARP or IPv6 Neighbor Discovery (ND)
+	  discovery of locally connected ethernet hosts, even if other
+	  host discovery options such as <option>-Pn</option> or
+	  <option>-PE</option> are used. To disable this implicit
+	  behavior, use the <option>--disable-arp-ping</option>
+	  option.</para>
+
+	  <para>The default behavior is normally faster, but this option
+	  is useful on networks using proxy ARP, in which a router
+	  speculatively replies to all ARP requests, making every target
+	  appear to be up according to ARP scan.</para>
+
+        </listitem>
+      </varlistentry>
+
 <varlistentry>
  <term>
   <option>--traceroute</option> (Trace path to host)

nmap.cc

@@ -665,6 +665,8 @@ void parse_options(int argc, char **argv) {
       {"adler32", no_argument, 0, 0},
       {"stats_every", required_argument, 0, 0},
       {"stats-every", required_argument, 0, 0},
+      {"disable_arp_ping", no_argument, 0, 0},
+      {"disable-arp-ping", no_argument, 0, 0},
       {"route_dst", required_argument, 0, 0},
       {"route-dst", required_argument, 0, 0},
       {0, 0, 0, 0}
@@ -935,6 +937,8 @@ void parse_options(int argc, char **argv) {
         if (d < 0)
           fatal("Argument to --stats-every cannot be negative.");
         o.stats_interval = d;
+      } else if (optcmp(long_options[option_index].name, "disable-arp-ping") == 0) {
+	o.implicitARPPing = false;
       } else if (optcmp(long_options[option_index].name, "route-dst") == 0) {
         struct sockaddr_storage ss;
         struct route_nfo rnfo;