Home page logo

nmap-dev logo Nmap Development mailing list archives

path inspection
From: Florin Andrei <florin () sgi com>
Date: 31 Oct 2003 11:42:21 -0800

Suppose you scan a host and find out that port 80 is "closed". Does that
mean that there's no service running on it, or there's a packet filter
right on that host itself?
No, there might be a firewall somewhere in the path between you and the
How can you tell where exactly port 80 gets dropped?
Easy: just send out probes on port 80 with increasing TTL. When you get
the "port closed" response, and if the TTL is smaller than the number of
hops between you and the host, there you are, you stumbled upon a

I would be _delighted_ to see this thing implemented in nmap. I'm aware
that it's a "paradigm shift" from the functions normally provided by
nmap, but it would be very useful.
Currently, if i wanna see where exactly that packet gets dropped, i have
to install some other software, which is kinda painful, especially when
in a hurry.
Or i have to use nmap and increase TTL manually, which is tedious and
nmap is not designed to be used like that anyway (it doesn't print too
much stuff that's useful in this scenario).

Automating the TTL-increase process in nmap, and printing things that
make sense in this scenario would help.

Essentially, what i'm asking for is an "arbitrary-protocol traceroute":
start with TTL=1, increase it by 1, and print what's going on at every

Thank you,

Florin Andrei


For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]