@@ -352,8 +352,8 @@ you would expect.</para>
352352 discovery is sometimes called ping scan, but it goes well beyond
353353 the simple ICMP echo request packets associated with the
354354 ubiquitous <application >ping</application > tool. Users can skip
355- the ping step entirely with a list scan (<option >-sL</option >) or
356- by disabling ping (<option >-Pn</option >), or engage the network
355+ the discovery step entirely with a list scan (<option >-sL</option >) or
356+ by disabling host discovery (<option >-Pn</option >), or engage the network
357357 with arbitrary combinations of multi-port TCP SYN/ACK, UDP, SCTP
358358 INIT and ICMP probes. The goal of these probes is to solicit
359359 responses which demonstrate that an IP address is actually active
@@ -400,7 +400,7 @@ you would expect.</para>
400400 probes (<option >-PU</option >). Read about the
401401 <option >-sn</option > option to learn how to perform
402402 only host discovery, or use <option >-Pn</option > to skip host
403- discovery and port scan all target hosts . The following options
403+ discovery and port scan all target addresses . The following options
404404 control host discovery:</para >
405405
406406 <variablelist >
@@ -429,17 +429,18 @@ you would expect.</para>
429429
430430 <para >Since the idea is to simply print a list of target
431431 hosts, options for higher level functionality such as port
432- scanning, OS detection, or ping scanning cannot be combined
433- with this. If you wish to disable ping scanning while still
432+ scanning, OS detection, or host discovery cannot be combined
433+ with this. If you wish to disable host discovery while still
434434 performing such higher level functionality, read up on the
435- <option >-Pn</option > (skip ping ) option.</para >
435+ <option >-Pn</option > (skip host discovery ) option.</para >
436436 </listitem >
437437 </varlistentry >
438438
439439 <varlistentry >
440440 <term >
441441 <option >-sn</option > (No port scan)
442442 <indexterm ><primary ><option >-sn</option ></primary ></indexterm >
443+ <indexterm ><primary >host discovery</primary ></indexterm >
443444 <indexterm ><primary >ping scan</primary ></indexterm >
444445 <indexterm ><primary >port scan</primary ><secondary >disabling with <option >-sn</option ></secondary ></indexterm >
445446 </term >
@@ -473,8 +474,7 @@ you would expect.</para>
473474 are used unless
474475 <option >--send-ip</option > was specified.
475476 The <option >-sn</option > option can be combined with any of the
476- discovery probe types (the <option >-P*</option > options,
477- excluding <option >-Pn</option >) for greater flexibility.
477+ discovery probe types (the <option >-P*</option > options) for greater flexibility.
478478 If any of those probe type and port number options are
479479 used, the default probes are
480480 overridden. When strict firewalls are in place between the
@@ -498,9 +498,10 @@ you would expect.</para>
498498 <indexterm ><primary >host discovery</primary ><secondary >disabling</secondary ></indexterm >
499499 </term >
500500 <listitem >
501- <para >This option skips the Nmap discovery stage altogether.
501+ <para >This option skips the host discovery stage altogether.
502502 Normally, Nmap uses this stage to determine active machines
503- for heavier scanning. By default, Nmap only performs heavy
503+ for heavier scanning and to gauge the speed of the network.
504+ By default, Nmap only performs heavy
504505 probing such as port scans, version detection, or OS
505506 detection against hosts that are found to be up. Disabling
506507 host discovery with <option >-Pn</option > causes Nmap to
@@ -511,10 +512,11 @@ you would expect.</para>
511512 Proper host discovery is skipped as with the list scan, but
512513 instead of stopping and printing the target list, Nmap
513514 continues to perform requested functions as if each target
514- IP is active. To skip ping scan <emphasis >and</emphasis > port
515+ IP is active. Default timing parameters are used, which may result in
516+ slower scans. To skip host discovery <emphasis >and</emphasis > port
515517 scan, while still allowing NSE to run, use the two options
516518 <option >-Pn -sn</option > together.</para >
517-
519+
518520 <para >For machines on a local ethernet network, ARP
519521 scanning will still be performed (unless
520522 <option >--disable-arp-ping</option > or <option >--send-ip</option > is specified) because Nmap needs
@@ -3159,7 +3161,7 @@ lists the relevant options and describes what they do.</para>
31593161
31603162 <listitem >
31613163 <para >The <option >-f</option > option causes the requested scan (including
3162- ping scans) to use tiny fragmented IP packets. The idea
3164+ host discovery scans) to use tiny fragmented IP packets. The idea
31633165 is to split up the TCP header over several packets to
31643166 make it harder for packet filters, intrusion detection
31653167 systems, and other annoyances to detect what you are
@@ -3245,7 +3247,7 @@ services.</para>
32453247 (so the decoy networks don't see you in their nameserver
32463248 logs). Right now random IP address generation is only supported with IPv4</para >
32473249
3248- <para >Decoys are used both in the initial ping scan (using
3250+ <para >Decoys are used both in the initial host discovery scan (using
32493251 ICMP, SYN, ACK, or whatever) and during the actual port
32503252 scanning phase. Decoys are also used during remote OS
32513253 detection (<option >-O</option >). Decoys do not work with
0 commit comments