Use arp-scan to scan your local network while monitoring ARP traffic with wireshark to get a sense of what's going on. After that, use the following script to identify hosts discoverable via ARP but not ICMP.
With 8.8.8.8 as a target, use wireshark to view the traffic generated by both nmap and traceroute. What differences can you find in their default mode of operation?
$ sudo nmap \ -sn `# disable port scan` \ -Pn `# disable host discovery` \ -tr `# perform traceroute` \ 8.8.8.8 $ traceroute 8.8.8.8
sudo snap remove nmap && sudo apt install nmap
snap connect nmap:network-control
If we do allow for a port scan by removing -sn
(default is a TCP-based scan; use -sU
for a UDP scan), this will take place before the actual traceroute. What changes does this bring?
When doing the TCP scan with nmap, you may have noticed a weird field in the TCP header: Options. Generate some TCP traffic with curl and look at the SYN packet in wireshark. What options do you see there?
Here is a quick break down of the more common TCP options and how they are used to overcome protocol limitations and improve throughput. Take a quick look if you want, then move on. We'll dive deeper into protocol options in the next task.