Nmap performs layer 2 scanning by sending out ARP requests to the broadcast address for a series of IP addresses and identifies live hosts by flagging responses. However, because this functionality is already integrated into Nmap, it can be executed by simply providing the appropriate arguments.

Nmap performs layer 3 scanning by sending out ICMP echo requests for each IP address within the supplied range or text file. As Nmap is a multithreaded tool, multiple requests are sent out in parallel, and results are quickly returned to the user. As Nmap's discovery function is adaptive, it will only use ICMP discovery if ARP discovery cannot effectively locate the host on the local subnet. Alternatively, if neither ARP discovery nor ICMP discovery is effective in identifying a live host at a given IP address, layer 4 discovery techniques will be employed.

Nmap performs layer 4 scanning by sending a series of TCP ACK packets to arbitrary ports on the target system and attempts to solicit an RST response as an indication of a live system. The technique used by Nmap to perform UDP discovery, however, is somewhat different than the technique we discussed with Scapy. Rather than merely relying on ICMP host-unreachable responses, which can be inconsistent and/or blocked, Nmap also performs host discovery by delivering service-specific requests to targeted ports in an attempt to solicit a response.