For a description of this category, see broadcast NSE category in the Nmap documentation.



Discovers servers supporting the ATA over Ethernet protocol. ATA over Ethernet is an ethernet protocol developed by the Brantley Coile Company and allows for simple, high-performance access to SATA drives over Ethernet.


Attempts to discover hosts in the local network using the DNS Service Discovery protocol and sends a NULL UDP packet to each host to test if it is vulnerable to the Avahi NULL UDP packet denial of service (CVE-2011-1002).


Attempts to discover Canon devices (Printers/Scanners) supporting the BJNP protocol by sending BJNP Discover requests to the network broadcast address for both ports associated with the protocol.


Attempts to discover DB2 servers on the network by sending a broadcast request to port 523/udp.


Sends a DHCP request to the broadcast address ( and reports the results. By default, the script uses a static MAC address (DE:AD:CO:DE:CA:FE) in order to prevent IP pool exhaustion.


Sends a DHCPv6 request (Solicit) to the DHCPv6 multicast address, parses the response, then extracts and prints the address along with any options returned by the server.


Attempts to discover hosts' services using the DNS Service Discovery protocol. It sends a multicast DNS-SD query and collects all the responses.


Listens for the LAN sync information broadcasts that the client broadcasts every 20 seconds, then prints all the discovered client IP addresses, port numbers, version numbers, display names, and more.


Performs network discovery and routing information gathering through Cisco's Enhanced Interior Gateway Routing Protocol (EIGRP).


Discovers HID devices on a LAN by sending a discoveryd network broadcast probe.


Discovers targets that have IGMP Multicast memberships and grabs interesting information.


Discovers Jenkins servers on a LAN by sending a discovery broadcast probe.


Sniffs the network for incoming broadcast communication and attempts to decode the received packets. It supports protocols like CDP, HSRP, Spotify, DropBox, DHCP, ARP and a few more. See packetdecoders.lua for more information.


Discovers Microsoft SQL servers in the same broadcast domain.


Attempts to discover master browsers and the domains they manage.


Discovers EMC Networker backup software servers on a LAN by sending a network broadcast query.


Attempts to use the Service Location Protocol to discover Novell NetWare Core Protocol (NCP) servers.


Discover IPv4 networks using Open Shortest Path First version 2(OSPFv2) protocol.


Sends a special broadcast probe to discover PC-Anywhere hosts running on a LAN.


Discovers PC-DUO remote control hosts and gateways running on a LAN by sending a special broadcast UDP probe.


Discovers routers that are running PIM (Protocol Independent Multicast).


Sends broadcast pings on a selected interface using raw ethernet packets and outputs the responding hosts' IP and MAC addresses or (if requested) adds them as targets. Root privileges on UNIX are required to run this script since it uses raw sockets. Most operating systems don't respond to broadcast-ping probes, but they can be configured to do so.


Discovers PPPoE (Point-to-Point Protocol over Ethernet) servers using the PPPoE Discovery protocol (PPPoED). PPPoE is an ethernet based protocol so the script has to know what ethernet interface to use for discovery. If no interface is specified, requests are sent out on all available interfaces.


Discovers hosts and routing information from devices running RIPv2 on the LAN. It does so by sending a RIPv2 Request command and collects the responses from all devices responding to the request.


Discovers hosts and routing information from devices running RIPng on the LAN by sending a broadcast RIPng Request command and collecting any responses.


Discovers Sonicwall firewalls which are directly attached (not routed) using the same method as the manufacturers own 'SetupTool'. An interface needs to be configured, as the script broadcasts a UDP packet.


Discovers Sybase Anywhere servers on the LAN by sending broadcast discovery messages.


Discovers Telldus Technologies TellStickNet devices on the LAN. The Telldus TellStick is used to wirelessly control electric devices such as lights, dimmers and electric outlets. For more information:


Attempts to extract system information from the UPnP service by sending a multicast query, then collecting, parsing, and displaying all responses.


Discovers Versant object databases using the broadcast srvloc protocol.


Wakes a remote system up from sleep by sending a Wake-On-Lan packet.


Retrieves a list of proxy servers on a LAN using the Web Proxy Autodiscovery Protocol (WPAD). It implements both the DHCP and DNS methods of doing so and starts by querying DHCP to get the address. DHCP discovery requires nmap to be running in privileged mode and will be skipped when this is not the case. DNS discovery relies on the script being able to resolve the local domain either through a script argument or by attempting to reverse resolve the local IP.


Uses a multicast query to discover devices supporting the Web Services Dynamic Discovery (WS-Discovery) protocol. It also attempts to locate any published Windows Communication Framework (WCF) web services (.NET 4.0 or later).


Discovers servers running the X Display Manager Control Protocol (XDMCP) by sending a XDMCP broadcast request to the LAN. Display managers allowing access are marked using the keyword Willing in the result.


Enumerates the authentication methods offered by an EAP (Extensible Authentication Protocol) authenticator for a given identity or for the anonymous identity if no argument is passed.


Uses Multicast Listener Discovery to list the multicast addresses subscribed to by IPv6 multicast listeners on the link-local scope. Addresses in the IANA IPv6 Multicast Address Space Registry have their descriptions listed.


Discovers KNX gateways by sending a KNX Search Request to the multicast address including a UDP payload with destination port 3671. KNX gateways will respond with a KNX Search Response including various information about the gateway, such as KNX address and supported services.


Resolves a hostname by using the LLMNR (Link-Local Multicast Name Resolution) protocol.


Uses the Microsoft LLTD protocol to discover hosts on a local network.


Queries targets for multicast routing information.


Queries for the multicast path from a source to a destination host.


Sends an ICMPv6 echo request packet to the all-nodes link-local multicast address (ff02::1) to discover responsive hosts on a LAN without needing to individually ping each IPv6 address.


Sends an ICMPv6 packet with an invalid extension header to the all-nodes link-local multicast address (ff02::1) to discover (some) available hosts on the LAN. This works because some hosts will respond to this probe with an ICMPv6 Parameter Problem packet.


Attempts to discover available IPv6 hosts on the LAN by sending an MLD (multicast listener discovery) query to the link-local multicast address (ff02::1) and listening for any responses. The query's maximum response delay set to 1 to provoke hosts to respond immediately rather than waiting for other responses from their multicast group.


Performs IPv6 host discovery by triggering stateless address auto-configuration (SLAAC).


Sniffs the local network for a configurable amount of time (10 seconds by default) and prints discovered addresses. If the newtargets script argument is set, discovered addresses are added to the scan queue.