Deprecate/disable -PR option as it was not really being checked.

Fixes nmap#1361

CHANGELOG

@@ -1,5 +1,9 @@
 #Nmap Changelog ($Id$); -*-text-*-
 
+o [GH#1361] Deprecate and disable the -PR (ARP ping) host discovery option. ARP
+  ping is already used whenever possible, and the -PR option would not force it
+  to be used in any other case. [Daniel Miller]
+
 o [NSE][GH#1243] Added http-sap-netweaver-leak to detect SAP Netweaver Portal 
   with the Knowledge Management Unit enabled with anonymous access. [ArphanetX]
 

docs/refguide.xml

@@ -371,7 +371,8 @@ you would expect.</para>
     timestamp request is omitted because it is not part of ICMPv6.)
     These defaults are
     equivalent to the <option>-PE -PS443 -PA80 -PP</option> options.
-    The exceptions to this are the ARP (for IPv4) and Neighbor
+    The exceptions to this are the ARP<indexterm><primary>ARP ping</primary></indexterm>
+    (for IPv4) and Neighbor
     Discovery<indexterm><primary>Neighbor Discovery</primary><secondary>for host discovery</secondary></indexterm>
     (for IPv6)
     scans which are used for any targets on a local ethernet network.
@@ -387,10 +388,9 @@ you would expect.</para>
     ping types) can be combined.  You can increase your odds of
     penetrating strict firewalls by sending many probe types using
     different TCP ports/flags and ICMP codes.  Also note that
-    ARP/Neighbor Discovery
-    (<option>-PR</option>)<indexterm><primary><option>-PR</option></primary></indexterm>
+    ARP/Neighbor Discovery <indexterm><primary>ARP ping</primary></indexterm>
     is done by default against
-    targets on a local ethernet network even if you specify other
+    targets on a local Ethernet network even if you specify other
     <option>-P*</option> options, because it is almost always faster
     and more effective.</para>
 
@@ -849,46 +849,6 @@ content can also be affected with the <option>--data</option>,
 
         </listitem>
       </varlistentry>
-      <varlistentry>
-        <term>
-        <option>-PR</option> (ARP Ping)
-          <indexterm><primary><option>-PR</option></primary></indexterm>
-          <indexterm><primary>ARP ping</primary></indexterm>
-        </term>
-        <listitem>
-
-          <para>One of the most common Nmap usage scenarios is to scan
-          an ethernet LAN. On most LANs, especially those using
-          private address ranges specified by <ulink role="hidepdf" url="http://www.rfc-editor.org/rfc/rfc1918.txt">RFC 1918</ulink>, the vast majority of
-          IP addresses are unused at any given time.  When Nmap tries
-          to send a raw IP packet such as an ICMP echo request, the
-          operating system must determine the destination hardware
-          (ARP) address corresponding to the target IP so that it can
-          properly address the ethernet frame.  This is often slow and
-          problematic, since operating systems weren't written with
-          the expectation that they would need to do millions of ARP
-          requests against unavailable hosts in a short time
-          period.</para>
-
-          <para>ARP scan puts Nmap and its optimized algorithms in
-          charge of ARP requests.  And if it gets a response back,
-          Nmap doesn't even need to worry about the IP-based ping
-          packets since it already knows the host is up.  This makes
-          ARP scan much faster and more reliable than IP-based scans.
-          So it is done by default when scanning ethernet hosts that Nmap
-          detects are on a local ethernet network.  Even if different
-          ping types (such as <option>-PE</option> or
-          <option>-PS</option>) are specified, Nmap uses ARP instead
-          for any of the targets which are on the same LAN.  If you
-          absolutely don't want to do an ARP scan, specify
-          <option>--disable-arp-ping</option>.</para>
-
-          <para>For IPv6 (-6 option), <option>-PR</option> uses ICMPv6
-          Neighbor Discovery instead of ARP. Neighbor Discovery, defined
-          in RFC 4861, can be seen as the IPv6 equivalent of ARP.</para>
-
-        </listitem>
-      </varlistentry>
 
       <varlistentry>
         <term>

nmap.cc

@@ -1161,8 +1161,10 @@ void parse_options(int argc, char **argv) {
         }
         o.pingtype |= PINGTYPE_NONE;
       }
-      else if (*optarg == 'R')
-        o.pingtype |= PINGTYPE_ARP;
+      else if (*optarg == 'R') {
+        if (o.verbose > 0)
+          error("The -PR option is deprecated. ARP scan is always done when possible.");
+      }
       else if (*optarg == 'S') {
         if (ports.syn_ping_count > 0)
           fatal("Only one -PS option is allowed. Combine port ranges with commas.");
@@ -1238,7 +1240,7 @@ void parse_options(int argc, char **argv) {
           assert(ports.proto_ping_count > 0);
         }
       } else {
-        fatal("Illegal Argument to -P, use -Pn, -PE, -PS, -PA, -PP, -PM, -PU, -PY, -PR, or -PO");
+        fatal("Illegal Argument to -P, use -Pn, -PE, -PS, -PA, -PP, -PM, -PU, -PY, or -PO");
       }
       break;
     case 'p':

nmap.h

@@ -292,7 +292,7 @@
 /* # define PINGTYPE_RAWTCP 128 used to be here, but was never used. */
 #define PINGTYPE_CONNECTTCP 256
 #define PINGTYPE_UDP  512
-#define PINGTYPE_ARP 1024
+/* #define PINGTYPE_ARP 1024 // Not used; see o.implicitARPPing */
 #define PINGTYPE_PROTO 2048
 #define PINGTYPE_SCTP_INIT 4096
 

targets.cc

@@ -591,7 +591,7 @@ static void refresh_hostbatch(HostGroupState *hs, const addrset *exclude_group,
       hs->hostbatch[0]->af() == AF_INET &&
       hs->hostbatch[0]->directlyConnected() &&
       o.sendpref != PACKET_SEND_IP_STRONG &&
-      (pingtype == PINGTYPE_ARP || o.implicitARPPing)) {
+      o.implicitARPPing) {
     arpping(hs->hostbatch, hs->current_batch_sz);
     arpping_done = true;
   }
@@ -602,7 +602,7 @@ static void refresh_hostbatch(HostGroupState *hs, const addrset *exclude_group,
       hs->hostbatch[0]->af() == AF_INET6 &&
       hs->hostbatch[0]->directlyConnected() &&
       o.sendpref != PACKET_SEND_IP_STRONG &&
-      (pingtype == PINGTYPE_ARP || o.implicitARPPing)) {
+      o.implicitARPPing) {
     arpping(hs->hostbatch, hs->current_batch_sz);
     arpping_done = true;
   }