A discovery scan is used to find live IP addresses on a network for the purpose of revealing potential targets. Traditionally, a discovery scan was a ping sweep, sending an ICMP ECHO REQUEST to every address in the specified range. Hosts that responded were then displayed. Because most modern hosts have software firewalls that disallow ICMP, Nmap discovery scans use other methods besides just ICMP to detect live hosts.

The following table summarizes common Nmap discovery scan types.

Nmap Discovery Scan Syntax




nmap -PR

Send an ARP request to target to see if there is a response. ARPs are generally not blocked by firewalls. This is the default discovery method for any Nmap scan on an Ethernet LAN.


nmap -sn

No port scan. Discover only, using a combination of ICMP ECHO REQUEST, TCP SYN to port 443, TCP ACK to port 80, and an ICMP timestamp request.

-PS <portlist>

nmap -PS135

Discover hosts by sending a TCP SYN to specified port(s). Default is 80. Any response (SYN ACK or RST) indicates the target is up. There can be no space between -PS and the port list. Will be followed by a port scan unless -sn is also used.

This example uses the NSE script targets-sniffer.nse. It sniffs the network on the eth0 interface for 60 seconds, lists any new targets that it sniffs, then scans those targets.