Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Development: Re: Can't see nmap traffic

Re: Can't see nmap traffic

From: Kris Katterjohn <katterjohn_at_gmail.com>
Date: Fri, 9 Nov 2007 14:07:21 -0600

On Nov 9, 2007 7:41 AM, Diman Todorov <diman_at_xover.htu.tuwien.ac.at> wrote:
>
> On Nov 9, 2007, at 1:47 PM, Kris Katterjohn wrote:
>
>
> > On Nov 9, 2007 5:36 AM, Walker JWalker <j_walker2_at_hotmail.com> wrote:
> >>
> >> When I scan my local network I can't see the traffic nmap
> >> generates. I've tried both Windows XP SP2 and Backtrack 2 in
> >> VMWare, and both tcpdump and Wireshark both listening on the
> >> correct interface with no luck. The only time I'm able to see the
> >> packets is if I scan anything other than 192.168.1.0/24.
> >>
> >> K:\nmap-4.20>nmap -sP 192.168.1.65/26
> >>
> >> Starting Nmap 4.20 ( http://insecure.org ) at 2007-11-08 22:44
> >> Eastern Standard
> >> Time
> >> Host 192.168.1.100 appears to be up.
> >> MAC Address: 00:00:C5:B5:94:8F (Farallon Computing/netopia)
> >> Host 192.168.1.101 appears to be up.
> >> Host 192.168.1.102 appears to be up.
> >> MAC Address: 00:0C:29:7C:C9:CB (VMware)
> >> Nmap finished: 64 IP addresses (3 hosts up) scanned in 2.328 seconds
> >>
> >> Mean while an ICMP filter on both Wireshark and tcpdump show no
> >> output. Anyone know what could be wrong? I really need to get
> >> this fixed.
> >>
> >
> > Did you always filter for ICMP? When you're scanning a local LAN,
> > Nmap uses ARP packets for the ping scan as this is much more
> > efficient.
>
> this is only 1/2 of the truth ;)
>
> <cited from: http://insecure.org/nmap/man/man-host-discovery.html >
> The -sP option sends an ICMP echo request and a TCP packet to port 80
> by default. When executed by an unprivileged user, only a SYN packet
> is sent (using a connect() call) to port 80 on the target. When a
> privileged user tries to scan targets on a local ethernet network, ARP
> requests (-PR) are used unless --send-ip was specified. The -sP option
> can be combined with any of the discovery probe types (the -P*
> options, excluding -PN) for greater flexibility. If any of those probe
> type and port number options are used, the default probes (ACK and
> echo request) are overridden. When strict firewalls are in place
> between the source host running Nmap and the target network, using
> those advanced techniques is recommended. Otherwise hosts could be
> missed when the firewall drops probes or their responses.
> </cited>
>
> I am not sure but I believe to remember that on windows machines nmap
> doesn't support scan types which involve raw packets. I also think
> that nmap uses raw packets for ICMP scans. Verifying these memories of
> mine should be simple - I tend to rely on them however because I don't
> see why else ICMP echo requests should be omitted when you aren't root.
>
> cheers,
> Diman
>

IIRC Windows uses the libdnet to send raw Ethernet frames rather than
sending packets via raw sockets. So if it's not Ethernet, only things
like -sT will work.

But that's only on XP SP2 I think.

Either way, he replied back to me and said that checking for ARP
packets yielded the expected results.

Thanks,
Kris Katterjohn

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Received on Nov 09 2007

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos