When called as a normal user, Nmap has more limited options and uses TCP SYN packets sent for ports 80 and 443 for both local and remote host discovery.
Discovery methods:
-PA— Use TCP ACK packets for host discovery; otherwise the same as-PS.-PE— Use ICMP Echo for host discovery. (Note that Nmap will still not send the echo request if host existence can be verified using the initial ARP request.)-PM— Use ICMP Address Mask for host discovery. (More-or-less the same as-PP, just a different ICMP request type.)-PP— Use ICMP Timestamp for host discovery. (Less likely to be blocked by firewalls than-PE, but also a more unusual request that may stand out. Like-PE, Nmap will still not send the timestamp request if host existence can be verified using the initial ARP request.)-PR— Use ARP packets only for host discovery.-PS— Use TCP SYN packets for host discovery. Uses port 80 by default, or you can specify a port list (e.g.,-PS80,8080,8888) or range (e.g.-PS20-30). (Note that unprivileged users must complete a full TCP handshake.)-PU— Use UDP packets for host discovery. Unlike other types of host discovery scans, UDP scans only generate a reply (ICMP Port Unreachable) if the target port is closed.
Most of the time the default discovery options (or -Pn) is fine. The above options are mostly useful for unusual networks or if there’s a need to be extra-stealthy.