Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Nmap not making arp requests to gateway (v7.70, Windows) #1661

xrmon opened this issue Jul 16, 2019 · 3 comments


Copy link

commented Jul 16, 2019

I am connected to a the network (, on Windows via an OpenVPN connection. The network includes a gateway,, which provides access to the network. The routing table displays this route when I run route print:


IPv4 Route Table
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric    281

When attempting a ping sweep on the network with the command nmap -sn -PE, no live hosts are found. When examining the packets sent in Wireshark, every ICMP echo request is sent to the MAC address of 00:00:00:00:00:00. Based on my knowledge of networking (which may be incorrect), the MAC address of the gateway should be found based on an ARP request, and the ICMP packets should be sent to the gateway.

I can confirm that no such ARP request has been made by viewing the arp table with the command arp -a. There is no entry for the machine However, if I manually ping the gateway using ping, or ping a host with ping, the address of the gateway is resolved via ARP and stored in the ARP table:

Interface: --- 0x2
  Internet Address      Physical Address      Type            00-ff-01-7c-45-7b     dynamic

Once the MAC address is resolved by manually pinging something, the nmap ping sweep works as expected. The problem is not affected by running nmap from an elavated command prompt.


This comment has been minimized.

Copy link

commented Jul 25, 2019

Thanks for the very interesting bug report! Please provide a couple additional details:

  1. Output of nmap --route-dst
  2. Output of nmap --iflist

Does scanning through a default gateway work correctly? In other words, does this appear to be limited to routes that use a specific gateway address for a specific network?


This comment has been minimized.

Copy link

commented Jul 25, 2019

Oh, I thought of a couple other important points:

  1. Does an older version of Nmap work correctly?
  2. Are there any unusual messages in the output like "Failed to determine dst MAC address for target"?

This comment has been minimized.

Copy link

commented Jul 25, 2019

Here we go:

  1. nmap --route-dst
Starting Nmap 7.70 ( ) at 2019-07-25 23:26 GMT Daylight Time
eth2 eth2 srcaddr nexthop
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.26 seconds
  1. nmap --iflist
Starting Nmap 7.70 ( ) at 2019-07-25 23:26 GMT Daylight Time
DEV  (SHORT) IP/MASK                                 TYPE     UP MTU   MAC
eth0 (eth0)  fdb2:2c26:f4e4:0:7541:dc1a:daef:ec62/64 ethernet up 1500  00:1C:42:47:17:3A
eth0 (eth0)  fe80::7541:dc1a:daef:ec62/64            ethernet up 1500  00:1C:42:47:17:3A
eth0 (eth0)                         ethernet up 1500  00:1C:42:47:17:3A
eth1 (eth1)  fe80::f88f:f451:6b8e:e7d/64             ethernet up 1500  02:00:4C:4F:4F:50
eth1 (eth1)                       ethernet up 1500  02:00:4C:4F:4F:50
lo0  (lo0)   ::1/128                                 loopback up 65536
lo0  (lo0)                             loopback up 65536
eth2 (eth2)  dead:beef:2::10b6/64                    ethernet up 1500  00:FF:00:7C:45:7B
eth2 (eth2)  fe80::9070:4e62:4d00:59b7/64            ethernet up 1500  00:FF:00:7C:45:7B
eth2 (eth2)                         ethernet up 1500  00:FF:00:7C:45:7B

eth0   \Device\NPF_{ADD764A0-0078-44BD-B2E8-F318806C5F38}
eth0   \Device\NPF_{ADD764A0-0078-44BD-B2E8-F318806C5F38}
eth0   \Device\NPF_{ADD764A0-0078-44BD-B2E8-F318806C5F38}
eth1   \Device\NPF_{35A6F5BA-A592-4AE0-8EE9-FEA461F41F97}
eth1   \Device\NPF_{35A6F5BA-A592-4AE0-8EE9-FEA461F41F97}
lo0    \Device\NPF_{3F89AF32-2519-4FD7-AE36-F9C66CAD0FB1}
lo0    \Device\NPF_{3F89AF32-2519-4FD7-AE36-F9C66CAD0FB1}
eth2   \Device\NPF_{007C457B-A374-4538-8C57-56A2E42BA029}
eth2   \Device\NPF_{007C457B-A374-4538-8C57-56A2E42BA029}
eth2   \Device\NPF_{007C457B-A374-4538-8C57-56A2E42BA029}
<none> \Device\NPF_{8163A71E-B312-4036-AFF9-999BED189405}
<none> \Device\NPF_{A6E0316D-2F08-47B9-8DD9-23C675B9D44F}
<none> \Device\NPF_{B28093CA-48A6-4A19-AB1E-82C37CC32FDC}

DST/MASK                                 DEV  METRIC GATEWAY                       eth1 281                        eth1 281                       lo0  281                          eth2 281                          eth2 281                       eth0 281                          eth0 281                         eth0 281                       lo0  281                       eth2 281                       eth1 281                       lo0  281                             lo0  331                       lo0  331                       eth0 331                            eth2 281                           eth0 281                            eth2 281                           lo0  281                           eth1 281                              lo0  331                              eth2 281                              lo0  281                              eth0 281                              eth1 281                              eth0 331                                eth0 25
fe80::f88f:f451:6b8e:e7d/128             eth1 281
fe80::7541:dc1a:daef:ec62/128            eth0 281
fdb2:2c26:f4e4:0:7541:dc1a:daef:ec62/128 eth0 281
fe80::9070:4e62:4d00:59b7/128            eth2 281
dead:beef:2::10b6/128                    eth2 281
fe80::c9d6:3b2b:a314:a1dd/128            lo0  281
::1/128                                  lo0  331
dead:beef:2::/64                         eth2 25     fe80::8
dead:beef::/64                           eth2 281    fe80::8
fe80::/64                                eth1 281
fdb2:2c26:f4e4::/64                      eth0 281
fe80::/64                                eth0 281
fe80::/64                                lo0  281
fe80::/64                                eth2 281
ff00::/8                                 eth0 281
ff00::/8                                 lo0  281
ff00::/8                                 eth1 281
ff00::/8                                 eth2 281
ff00::/8                                 eth0 331
::/0                                     eth0 281    fe80::21c:42ff:fe00:18

Scanning through the default gateway appears to work correctly.

  1. After going back through some old versions, versions 7.25BETA1 and later appear to display this issue. Versions 7.12 and earlier failed to detect the host at all, presumably to some long-fixed bug in those versions.

  2. No unusual messages are printed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
2 participants
You can’t perform that action at this time.