different behavior: "sudo nmap" vs just "nmap"?

By default an unprivileged scan uses -sT (TCP Connect) while privileged (root) uses -sS (TCP SYN Stealth).

TCP Connect (-sT) Connect scan uses the system call of the same name to scan machines, rather than relying on raw packets as most of the other methods do. It is usually used by unprivileged Unix users and against 1Pv6 targets because SYN scan doesn't work in those cases.

TCP SYN Stealth (-sS) This is far and away the most popular scan type because it the fastest way to scan ports of the most popular protocol (TCP). It is stealthier than connect scan, and it works against all functional TCP stacks (unlike some special-purpose scans such as FIN scan).

1) To figure what is happening with your machine I would suggest using the extra verbose mode (-vv) or --packet-trace to see what happens.

$ sudo nmap --packet-trace -vv 192.168.56.101

2) Another approach would be to force an unprivileged scan as privileged user using the following commands and see the result.

$ sudo nmap -sT -vv 192.168.56.101
$ sudo nmap --unprivileged -vv 192.168.56.101

3) Finally the reason why nmap stops the scan is because IMCP Type 8 (echo a.k.a ping) doesn't return an ICMP Type 0 (echo reply). This command ignores ping and keep scanning:

$ sudo nmap -PN 192.168.56.101

Can you please try those commands and post the output ?


I have noticed the same behavior on my Mac. It is really strange.

It appears that NMAp with sudo privileges gets some informations from the ARP cache. And so, if you scan a device that is disconnected from the network but is still in the ARP cache (the cache is updated after 2 or 3 minutes on my computer), then it will appears as online for NMAP.

From NMAP man page :

If no host discovery options are given, Nmap sends an ICMP echo request, a TCP SYN packet to port 443, a TCP ACK packet to port 80, and an ICMP timestamp request. (For IPv6, the ICMP timestamp request is omitted because it is not part of ICMPv6.) These defaults are equivalent to the -PE -PS443 -PA80 -PP options. The exceptions to this are the ARP (for IPv4) and Neighbor Discovery. (for IPv6) scans which are used for any targets on a local ethernet network. For unprivileged Unix shell users, the default probes are a SYN packet to ports 80 and 443 using the connect system call.. This host discovery is often sufficient when scanning local networks, but a more comprehensive set of discovery probes is recommended for security auditing.