Correct the Target MAC Address in Nmap's ARP discovery to conform to what IP stacks in currently popular operating systems use.

scan_engine.cc

@@ -3284,7 +3284,10 @@ static UltraProbe *sendArpScanProbe(UltraScanInfo *USI, HostScanStats *hss,
                ETH_TYPE_ARP);
   arp_pack_hdr_ethip(frame + ETH_HDR_LEN, ARP_OP_REQUEST,
                      *hss->target->SrcMACAddress(), *hss->target->v4sourceip(),
-                     ETH_ADDR_BROADCAST,  *hss->target->v4hostip());
+                     "\x00\x00\x00\x00\x00\x00",  *hss->target->v4hostip());
+// RFC 826 says that the ar$tha field need not be set to anything in particular (i.e. its value doesn't matter)
+// We use 00:00:00:00:00:00 since that is what IP stacks in currently popular operating systems use
+
   gettimeofday(&USI->now, NULL);
   probe->sent = USI->now;
   hss->probeSent(sizeof(frame));

todo/nmap.txt

@@ -67,9 +67,6 @@ o GSOC 2014 student Jay will be looking at these items:
     http://seclists.org/nmap-dev/2012/q4/420.
   o Implement an --exclude-ports option. See
     http://seclists.org/nmap-dev/2012/q1/275
-  o Investigate report of Nmap ARP discovery using the wrong target MAC
-    address field in ARP requests (it is correct in the ethernet frame
-    itself).  See this thread: http://seclists.org/nmap-dev/2011/q3/547
   o [Zenmap] Combine parallel timed-out hops into one node in the
     topology view. http://seclists.org/nmap-dev/2012/q1/82 has a patch,
     however it doesn't handle the case of two or more consecutive
@@ -829,6 +826,10 @@ o random tip database
 
 DONE:
 
+o Investigate report of Nmap ARP discovery using the wrong target MAC
+  address field in ARP requests (it is correct in the ethernet frame
+  itself).  See this thread: http://seclists.org/nmap-dev/2011/q3/547
+
 o Add randomizer to configure script so that a random ASCII art from
   docs/leet-nmap-ascii-art*.txt is printed.  I think I'll start naming
   them leet-nmap-ascii-art-submittername.txt.