nmap – difference between icmp ping scan and normal ping scan

To answer this question, we can look at the nmap manual:

HOST DISCOVERY:
  -sL: List Scan - simply list targets to scan
  -sn: Ping Scan - disable port scan
  -Pn: Treat all hosts as online -- skip host discovery
  -PS/PA/PU/PY(portlist): TCP SYN/ACK, UDP or SCTP discovery to given ports
  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
  -PO(protocol list): IP Protocol Ping
  -n/-R: Never do DNS resolution/Always resolve (default: sometimes)
  --dns-servers <serv1(,serv2),...>: Specify custom DNS servers
  --system-dns: Use OS's DNS resolver
  --traceroute: Trace hop path to each host

You see, nmap has several “phases” during a scan. In the first phase, called Host Discovery, all targets are pinged, to see if they are online. During the second phase, the actual port scan is performed.

The commands -sL, -sn and -Pn modify this behavior. -sL only lists the targets to be scanned, skipping both the host discovery and the port scan phase. -sn only performs the host discovery, skipping the port scan completely. And -Pn skips the host discovery, performing a port scan on all hosts as if the ping scan returned successfully on all of them.

On the other hand, -PE, -PP and -PM modify exactly how the Host Discovery is performed. The manual page on host discovery states the following:

If no host discovery options are given, Nmap sends an ICMP echo request, a TCP SYN packet to port 443, a TCP ACK packet to port 80, and an ICMP timestamp request. (For IPv6, the ICMP timestamp request is omitted because it is not part of ICMPv6.) These defaults are equivalent to the -PE -PS443 -PA80 -PP options. The exceptions to this are the ARP (for IPv4) and Neighbor Discovery (for IPv6) scans which are used for any targets on a local ethernet network. For unprivileged Unix shell users, the default probes are a SYN packet to ports 80 and 443 using the connect system call. This host discovery is often sufficient when scanning local networks, but a more comprehensive set of discovery probes is recommended for security auditing.

So the -PE option, if specified, means that a simple ICMP Echo request is sent, exactly as if using the ping utility on the host. If no other options are specified, that is the only thing that is done. So it’s actually less comprehensive than not explicitly noting -PE.


-sn and -PE are two completely different options. -sn specifies that no port scan should be performed. -PE explicitly specifies one way of performing a port scan.