NMAP discovery scan reporting host offline, pinging the same host gets ICMP responses

Question

I ran an nmap -sn scan on a host, and nmap reported the host as down. I then pinged the same host with ping and got ICMP responses. I'm confused, because I was sure that -sn among other things, did an ICMP echo request.

Output from my two commands:

~ $ nmap -sn 192.168.1.237 

Starting Nmap 6.40 ( http://nmap.org ) at 2016-08-16 09:35 BST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.00 seconds

~ $ ping 192.168.1.237
PING 192.168.1.237 (192.168.1.237) 56(84) bytes of data.
64 bytes from 192.168.1.237: icmp_seq=1 ttl=128 time=9.82 ms
64 bytes from 192.168.1.237: icmp_seq=2 ttl=128 time=5.25 ms
64 bytes from 192.168.1.237: icmp_seq=3 ttl=128 time=2.95 ms
64 bytes from 192.168.1.237: icmp_seq=4 ttl=128 time=9.10 ms
^C
--- 192.168.1.237 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 2.957/6.785/9.826/2.810 ms

Any ideas why NMAP could be confused? I'm running the scan from my Ubuntu 16.04 box, the target is a Windows 10.

Answer 1

If you want to run a ping scan, make sure you are running as root.

From nmap archived docco:

When you run an Nmap ping scan as root, the default is to use the ICMP and ACK methods. Non-root users will use the connect() method, which attempts to connect to a machine, waiting for a response, and tearing down the connection as soon as it has been established (similar to the SYN/ACK method for root users, but this one establishes a full TCP connection!)

So you need

sudo nmap -sn 192.168.1.237 

Your ping will have the SUID bit set, so that it always runs as root no matter which user you execute it under. This is why it is possible for ping to detect the server, whereas nmap cannot.