Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Development: Why does nmap send multiple probes to the same port?

Why does nmap send multiple probes to the same port?

From: <chok_at_chokmah.org>
Date: Wed, 11 Jan 2006 17:19:35 -0500

I am having trouble with nmap sending multiple probes to
the same port to the same target. Because of this, a scan
of all ports takes many days instead of an hour or two. I
am using nmap version 3.81 on debian 3.1 (sarge).

Here is what the scan looks like:

# nmap -sT -P0 -p 1-65535 --packet_trace 192.0.2.1

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at
2006-01-06 09:47 CST
CONN (0.3610s) TCP localhost > 192.0.2.1:21 => Operation
now in progress
CONN (0.3610s) TCP localhost > 192.0.2.1:636 => Operation
now in progress
CONN (0.3610s) TCP localhost > 192.0.2.1:25 => Operation
now in progress
CONN (0.3610s) TCP localhost > 192.0.2.1:1723 => Operation
now in progress
CONN (0.3610s) TCP localhost > 192.0.2.1:389 => Operation
now in progress
CONN (0.3610s) TCP localhost > 192.0.2.1:53 => Operation
now in progress
CONN (0.3610s) TCP localhost > 192.0.2.1:256 => Operation
now in progress
CONN (0.3610s) TCP localhost > 192.0.2.1:443 => Operation
now in progress
CONN (0.3610s) TCP localhost > 192.0.2.1:3389 => Operation
now in progress
CONN (0.3610s) TCP localhost > 192.0.2.1:22 => Operation
now in progress
CONN (1.5020s) TCP localhost > 192.0.2.1:22 => Operation
now in progress
CONN (1.5020s) TCP localhost > 192.0.2.1:3389 => Operation
now in progress
CONN (1.5020s) TCP localhost > 192.0.2.1:443 => Operation
now in progress
CONN (1.5020s) TCP localhost > 192.0.2.1:256 => Operation
now in progress
CONN (1.5020s) TCP localhost > 192.0.2.1:53 => Operation
now in progress
CONN (1.5020s) TCP localhost > 192.0.2.1:389 => Operation
now in progress
CONN (1.5020s) TCP localhost > 192.0.2.1:1723 => Operation
now in progress
CONN (1.5020s) TCP localhost > 192.0.2.1:636 => Operation
now in progress
CONN (1.5020s) TCP localhost > 192.0.2.1:113 => Operation
now in progress
CONN (1.5020s) TCP localhost > 192.0.2.1:23 => Operation
now in progress
CONN (1.5020s) TCP localhost > 192.0.2.1:554 => Operation
now in progress
CONN (1.5020s) TCP localhost > 192.0.2.1:80 => Operation
now in progress
CONN (1.6020s) TCP localhost > 192.0.2.1:23 => Operation
now in progress
CONN (1.6020s) TCP localhost > 192.0.2.1:554 => Operation
now in progress
CONN (2.7020s) TCP localhost > 192.0.2.1:554 => Operation
now in progress
CONN (2.7020s) TCP localhost > 192.0.2.1:23 => Operation
now in progress
CONN (3.8120s) TCP localhost > 192.0.2.1:23 => Operation
now in progress
CONN (3.8430s) TCP localhost > 192.0.2.1:113 => Operation
now in progress
CONN (3.9520s) TCP localhost > 192.0.2.1:113 => Operation
now in progress
CONN (4.0510s) TCP localhost > 192.0.2.1:113 => Operation
now in progress
CONN (5.1620s) TCP localhost > 192.0.2.1:113 => Operation
now in progress
CONN (5.1920s) TCP localhost > 192.0.2.1:636 => Operation
now in progress
CONN (5.2920s) TCP localhost > 192.0.2.1:636 => Operation
now in progress
CONN (5.3920s) TCP localhost > 192.0.2.1:636 => Operation
now in progress
CONN (6.5020s) TCP localhost > 192.0.2.1:636 => Operation
now in progress
CONN (6.5320s) TCP localhost > 192.0.2.1:1723 => Operation
now in progress
CONN (6.6320s) TCP localhost > 192.0.2.1:1723 => Operation
now in progress
CONN (6.7320s) TCP localhost > 192.0.2.1:1723 => Operation
now in progress
CONN (6.8320s) TCP localhost > 192.0.2.1:1723 => Operation
now in progress

The IP address has been changed for privacy.

I have seen as many as seven probes per port after running
for a while.

This scan is running over the Internet and the box running
nmap has a public IP and is directly connected to the
Internet without any kind of filtering on my end. The
target end goes through a PIX and ports 25 and 80 are
PATted through to a server on the inside and packets to
all other ports should be dropped.

I have looked at the packets on the wire and for every
port except for 25 and 80 there is no response.

I suppose this is a feature and nmap is doing this on
purpose, but I don't understand why. Does anyone know why
it is sending multiple probes like this and how I can get
it to just send a single probe for each port?

chok

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Received on Jan 11 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos