Disable Winpcap Support (--win_nopcap)
The --win_nopcap option disables nmap support for the WinPcap library. Instead of using the normal WinPcap library calls, nmap attempts to use raw sockets.


If this option is enabled, the following line appears in the --win_trace output:
***WinIP***  winpcap support disabled
If both --win_nopcap and --win_norawsock is used, nmap is left with no communication mechanism and the following "strange" error message is displayed:


EXC selected for machine 192.168.0.99
Strange read error from 192.168.0.99: Unknown error
clock
Enabling this option on my Windows XP SP2 system prevented the nmap pings from working, although the actual scan process appeared to work correctly.



Test NT 4.0 Route Code (--win_nt4route)
For nmap to send packets, it must identify the physical network interfaces and decide which connection to the remote device is the best. However, the changes to Windows versions through the years have created many different methods of obtaining this information.

The --win_nt4route option uses an alternative method of finding the best route for nmap to use. If nmap is having difficulty locating a route to a remote device, this option may provide a workaround.

When using this option, the following text can be seen in a level-two debug output (-d -d):
get_best_route: using NT4-compatible method


Test Response to Lack of iphlpapi.dll (--win_noiphlpapi)
The --win_noiphlpapi refers to the use of the iphlpapi.dll library. This library is used by nmap functions to identify network interfaces and send ARP requests.

If this option is selected, nmap will use alternative options for obtaining this IP-specific information. These non-iphlpapi functions are also used if a Windows version doesn't support the IP helper library, such as Windows 95. The IP helper library is already included with the most recent Windows operating systems.

If nmap cannot find the IP helper library, this following message will be displayed:
Your system doesn't have iphlpapi.dll

If you have Win95, maybe you could grab it from a Win98 system
If you have NT4, you need service pack 4 or higher
If you have NT3.51, try grabbing it from an NT4 system
Otherwise, your system has problems ;-)

Trace Through Raw IP Initialization (--win_trace)
The --win_trace option is extremely useful for Windows users who are having problems running nmap. The Windows IP initialization process includes the identification of the interfaces, the identification of communication libraries (WinPcap and raw sockets), and the recognition of a privileged Window user.

The Windows IP trace option displays this information with the normal nmap output:
***WinIP***  initializing if tables
***WinIP***  if tables complete :)
***WinIP***  trying to initialize winpcap 2.1
***WinIP***  winpcap present, dynamic linked to: WinPcap version 3.1 beta4 (pack
et.dll version 3, 1, 0, 24), based on libpcap version 0.8.3
***WinIP***  testing for raw sockets
***WinIP***  rawsock is available
***WinIP***  reading winpcap interface list
***WinIP***  init \Device\NPF_GenericNdisWanAdapter (ASCII)
pcap device:  \Device\NPF_GenericNdisWanAdapter
***WinIP***  init \Device\NPF_{D37FB73B-773F-4941-B09E-51D487A0B724} (ASCII)
pcap device:  \Device\NPF_{D37FB73B-773F-4941-B09E-51D487A0B724}
 result:       physaddr (0x00114343a834) matches eth0
***WinIP***  o.isr00t = 1

Skip IP Initialization (--win_skip_winip_init)
The --win_skip_winip_init option completely bypasses the Windows-related IP initialization process. This option is useful during a troubleshooting session where the Windows IP initialization process is in question.

If nmap starts normally and begins the scan without initializing the Windows IP system, the following message is displayed:
winip not initialized yet

QUITTING!