Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: Why does nmap send multiple probes to the same port?
From: Richard van den Berg <richard.vandenberg () ins com>
Date: Thu, 12 Jan 2006 08:43:49 +0000

Casey Williams wrote:

In my case, when I try "nmap -sS -P0..." and I sniff the traffic that gets generated from that scan, I've noticed more 
than one probe gets sent to the same port on some of the hosts under certain  circumstances.  I shouldn't see these 
"extra" probes in the packet capture if NMap didn't actually send them should I?

If your packet sniffer sees them on the wire, they were sent for sure. 
That's the reason you are using a packet sniffer, and not relying on 
application logs. :-) I can confirm that nmap sends out retries under 
certain conditions. This is documented in the man page. I looked it up 
yesterday when I saw it happening. An easy way to reproduce this is to 
set the --host_timeout really low. Nmap will send retries until the 
first probe is responded to. You can tune the number of retries using 
--max_retries. See http://www.insecure.org/nmap/man/man-performance.html||


Richard van den Berg

Sent through the nmap-dev mailing list

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]