mailing list archives
Re: Why does nmap send multiple probes to the same port?
From: Richard van den Berg <richard.vandenberg () ins com>
Date: Thu, 12 Jan 2006 08:43:49 +0000
Casey Williams wrote:
In my case, when I try "nmap -sS -P0..." and I sniff the traffic that gets generated from that scan, I've noticed more
than one probe gets sent to the same port on some of the hosts under certain circumstances. I shouldn't see these
"extra" probes in the packet capture if NMap didn't actually send them should I?
If your packet sniffer sees them on the wire, they were sent for sure.
That's the reason you are using a packet sniffer, and not relying on
application logs. :-) I can confirm that nmap sends out retries under
certain conditions. This is documented in the man page. I looked it up
yesterday when I saw it happening. An easy way to reproduce this is to
set the --host_timeout really low. Nmap will send retries until the
first probe is responded to. You can tune the number of retries using
--max_retries. See http://www.insecure.org/nmap/man/man-performance.html||
Richard van den Berg
Sent through the nmap-dev mailing list