Nmap is one of the most common tools used for network scanning. When looking at an IPv4 network nmap can conduct what is commonly referred to as a ping sweep but can also use the ARP protocol.

The command to scan for live hosts is

nmap -sn <IP address range>

When an unprivileged user runs the command above, an ICMP echo request is sent to a target IP address along with a TCP SYN packet to port 80 and 443.

When a privileged user runs the scan, nmap will attempt to use ARP (Address Resolution Protocol) to identify live hosts. If this is not possible, then an ICMP echo requests is sent along with a TCP SYN packet to port 443 and a TCP ACK packet to port 80.

When a host has been identified as “live” no further testing is conducted.

‍