diff --git a/CHANGELOG b/CHANGELOG
index 96c4f34b5..a2627b024 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,9 @@
#Nmap Changelog ($Id$); -*-text-*-
+o [GH#1361] Deprecate and disable the -PR (ARP ping) host discovery option. ARP
+ ping is already used whenever possible, and the -PR option would not force it
+ to be used in any other case. [Daniel Miller]
+
o [NSE][GH#1243] Added http-sap-netweaver-leak to detect SAP Netweaver Portal
with the Knowledge Management Unit enabled with anonymous access. [ArphanetX]
diff --git a/docs/refguide.xml b/docs/refguide.xml
index 629153901..ec35479fd 100644
--- a/docs/refguide.xml
+++ b/docs/refguide.xml
@@ -371,7 +371,8 @@ you would expect.
timestamp request is omitted because it is not part of ICMPv6.)
These defaults are
equivalent to the options.
- The exceptions to this are the ARP (for IPv4) and Neighbor
+ The exceptions to this are the ARPARP ping
+ (for IPv4) and Neighbor
DiscoveryNeighbor Discoveryfor host discovery
(for IPv6)
scans which are used for any targets on a local ethernet network.
@@ -387,10 +388,9 @@ you would expect.
ping types) can be combined. You can increase your odds of
penetrating strict firewalls by sending many probe types using
different TCP ports/flags and ICMP codes. Also note that
- ARP/Neighbor Discovery
- ()
+ ARP/Neighbor Discovery ARP ping
is done by default against
- targets on a local ethernet network even if you specify other
+ targets on a local Ethernet network even if you specify other
options, because it is almost always faster
and more effective.
@@ -849,46 +849,6 @@ content can also be affected with the ,
-
-
- (ARP Ping)
-
- ARP ping
-
-
-
- One of the most common Nmap usage scenarios is to scan
- an ethernet LAN. On most LANs, especially those using
- private address ranges specified by RFC 1918, the vast majority of
- IP addresses are unused at any given time. When Nmap tries
- to send a raw IP packet such as an ICMP echo request, the
- operating system must determine the destination hardware
- (ARP) address corresponding to the target IP so that it can
- properly address the ethernet frame. This is often slow and
- problematic, since operating systems weren't written with
- the expectation that they would need to do millions of ARP
- requests against unavailable hosts in a short time
- period.
-
- ARP scan puts Nmap and its optimized algorithms in
- charge of ARP requests. And if it gets a response back,
- Nmap doesn't even need to worry about the IP-based ping
- packets since it already knows the host is up. This makes
- ARP scan much faster and more reliable than IP-based scans.
- So it is done by default when scanning ethernet hosts that Nmap
- detects are on a local ethernet network. Even if different
- ping types (such as or
- ) are specified, Nmap uses ARP instead
- for any of the targets which are on the same LAN. If you
- absolutely don't want to do an ARP scan, specify
- .
-
- For IPv6 (-6 option), uses ICMPv6
- Neighbor Discovery instead of ARP. Neighbor Discovery, defined
- in RFC 4861, can be seen as the IPv6 equivalent of ARP.
-
-
-
diff --git a/nmap.cc b/nmap.cc
index aea962726..606e8963c 100644
--- a/nmap.cc
+++ b/nmap.cc
@@ -1161,8 +1161,10 @@ void parse_options(int argc, char **argv) {
}
o.pingtype |= PINGTYPE_NONE;
}
- else if (*optarg == 'R')
- o.pingtype |= PINGTYPE_ARP;
+ else if (*optarg == 'R') {
+ if (o.verbose > 0)
+ error("The -PR option is deprecated. ARP scan is always done when possible.");
+ }
else if (*optarg == 'S') {
if (ports.syn_ping_count > 0)
fatal("Only one -PS option is allowed. Combine port ranges with commas.");
@@ -1238,7 +1240,7 @@ void parse_options(int argc, char **argv) {
assert(ports.proto_ping_count > 0);
}
} else {
- fatal("Illegal Argument to -P, use -Pn, -PE, -PS, -PA, -PP, -PM, -PU, -PY, -PR, or -PO");
+ fatal("Illegal Argument to -P, use -Pn, -PE, -PS, -PA, -PP, -PM, -PU, -PY, or -PO");
}
break;
case 'p':
diff --git a/nmap.h b/nmap.h
index 20c09066a..8005eb0ea 100644
--- a/nmap.h
+++ b/nmap.h
@@ -292,7 +292,7 @@
/* # define PINGTYPE_RAWTCP 128 used to be here, but was never used. */
#define PINGTYPE_CONNECTTCP 256
#define PINGTYPE_UDP 512
-#define PINGTYPE_ARP 1024
+/* #define PINGTYPE_ARP 1024 // Not used; see o.implicitARPPing */
#define PINGTYPE_PROTO 2048
#define PINGTYPE_SCTP_INIT 4096
diff --git a/targets.cc b/targets.cc
index bc55ca62e..fc19fb9b7 100644
--- a/targets.cc
+++ b/targets.cc
@@ -591,7 +591,7 @@ static void refresh_hostbatch(HostGroupState *hs, const addrset *exclude_group,
hs->hostbatch[0]->af() == AF_INET &&
hs->hostbatch[0]->directlyConnected() &&
o.sendpref != PACKET_SEND_IP_STRONG &&
- (pingtype == PINGTYPE_ARP || o.implicitARPPing)) {
+ o.implicitARPPing) {
arpping(hs->hostbatch, hs->current_batch_sz);
arpping_done = true;
}
@@ -602,7 +602,7 @@ static void refresh_hostbatch(HostGroupState *hs, const addrset *exclude_group,
hs->hostbatch[0]->af() == AF_INET6 &&
hs->hostbatch[0]->directlyConnected() &&
o.sendpref != PACKET_SEND_IP_STRONG &&
- (pingtype == PINGTYPE_ARP || o.implicitARPPing)) {
+ o.implicitARPPing) {
arpping(hs->hostbatch, hs->current_batch_sz);
arpping_done = true;
}