Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Development: Re: Why does nmap send multiple probes to the same port?

Re: Why does nmap send multiple probes to the same port?

From: Casey Williams <Lists_at_aviditysoftware.com>
Date: Wed, 11 Jan 2006 23:11:23 -0600

On 04:37 Thu 01/12/06 Jan , Andreas Ericsson wrote:
> Casey Williams wrote:
> >I've noticed the same thing with -sS and -P0 which I did't think used
> >connect(). I've actually been wondering about this recently myself
> >because I've been writing my own lightweight port scanning engine using
> >libnet to inject SYN probes. I've noticed that if I loop over the range
> >of IP addresses and immediately send the probe, I won't always get a reply
> >from hosts that I know should have replied. However, if I sleep() for 1
> >millisecond between probe sends, it *will* send the reply. However, this
> >1 ms sleep() can add up over many hosts/ports, and I can't seem to sleep()
> >for a shorter period of time, (even nanosleep() doesn't seem to work for
> >me).
> >
> >***pure conjecture ahead***
> >
> >So I started wondering how nmap was able to be so reliable and yet SO fast
> >(kudos!). Then I realized that it may be sending these "retry" probes to
> >hosts that it doesn't know the status of and that it didn't get a reply
> >from.
> >
> >I've been reading the nmap source and stepping through it, but I haven't
> >verified that this is correct. Am I on the right track? If not, would
> >this tactic be unrecommended?
> >
>
> You're missing the point a bit. The error messages means that nmap
> didn't send those probes. It tried to, but the system told it there was
> already a connection attempt in progress.

I'm slightly off topic since I'm talking about SYN scans instead of connect() scans, and I'm not
certain how your reply would apply to these. (If it does apply to SYN scans, I apologize, I'm fairly
new to this level of TCP/IP programming and I suppose I need to read more :))

In my case, when I try "nmap -sS -P0..." and I sniff the traffic that gets generated from that scan,
I've noticed more than one probe gets sent to the same port on some of the hosts under certain
circumstances. I shouldn't see these "extra" probes in the packet capture if NMap didn't actually
send them should I? Is this the expected behavior, or am I imagining things? :)

-Casey Williams

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Received on Jan 11 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos