Nmap is an adaptive tool that will automatically adjust and use layer 2, layer 3, or layer 4 discovery as needed. If the -sn option is used in Nmap to scan IP addresses that do not exist on the local network segment, ICMP echo requests will be used to determine whether the hosts are alive and responding.

1. To perform an ICMP scan of a single target, use Nmap with the -sn option, and pass the IP address to be scanned as an argument:

2. The output of this command will indicate whether the device is up and will also provide details about the scan performed. Additionally, notice that the system name is also identified. Nmap also performs DNS resolution to provide this information in the scan output. It can also be used to scan a sequential range of IP addresses, using dash notation. Nmap is multithreaded by default and runs multiple processes in parallel. As such, Nmap is very fast in returning scan results. Have a look at the following command:

3. In the example provided, Nmap is used to scan an entire /24 network range. For convenience of viewing, the output of this command was truncated. By analyzing the traffic passing across the interface with Wireshark, you may notice that the addresses are not sequentially scanned. This can be seen in the following screenshot. This is further evidence of the multithreaded nature of Nmap and illustrates how processes are initiated from addresses in a queue as other processes complete:

4. Alternatively, Nmap can also be used to scan IP addresses from an input text file. This can be done using the -iL option, followed by the name of the file or file path:

5. In the example provided, a list of six IP addresses exists in the execution directory. This list is then input into Nmap, and each of the listed addresses is scanned in an attempt to identify live hosts: