Arp sp00fing c0de

docs/nmap.1

@@ -500,10 +500,27 @@ while ethernet frames work best on the many Windows versions where
 Microsoft has disabled raw sockets support.  Nmap still uses raw IP
 packets when there is no other choice (such as non-ethernet
 connections).
+.TP
 .B --send_ip
 Asks Nmap to send packets via raw IP sockets rather than sending lower
 level ethernet frames.  It is the complement to the --send-eth
 option.discussed previously.
+.TP
+.B \--spoof_mac [mac, prefix, or vendor substring]
+Ask Nmap to use the given MAC address for all of the raw ethernet
+frames it sends.  The MAC given can take several formats.  If it is
+simply the string "0", Nmap chooses a completely random MAC for the
+session.  If the given string is an even number of hex digits (with
+the pairs optionally separated by a colon), Nmap will use those as the
+MAC.  If less than 12 hex digits are provided, Nmap fills in the
+remainder of the 6 bytes with random values.  If the argument isn't a
+0 or hex string, Nmap looks through the nmap-mac-prefixes to find a
+vendor name containing the given string (it is case insensitive).  If
+a match is found, Nmap uses the vendor's OUI (3-byte prefix) and fills
+out the remaining 3 bytes randomly.  Valid --spoof_mac argument
+examples are "Apple", "0", "01:02:03:04:05:06", "deadbeefcafe",
+"0020F2", and "Cisco".
+.TP
 .B \-f
 This option causes the requested scan (including ping scans) to use
 tiny fragmented IP packets.  The idea is to split up the TCP header