Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: Nmap says Host down when actually host is up.
From: Fyodor <fyodor () insecure org>
Date: Thu, 25 Oct 2007 14:23:08 -0700

On Thu, Oct 25, 2007 at 09:08:05AM -0500, Swapnali wrote:
Following is verbose output.

Nmap says Host 10.10.209.108 seems to be a subnet broadcast address
(returned 1 extra pings)

D:\>nmap -sP -vv --packet-trace 10.10.209.108

Starting Nmap 4.20 ( http://insecure.org ) at 2007-10-23 08:40 Central
Daylight
Time
SENT ( 0.2340s) ICMP 10.205.42.40 > 10.10.209.108 Echo request
(type=8/code=0) ttl=56 id=10663 iplen=28
RCVD (0.2660s) ICMP 10.204.100.2 > 10.205.42.40 Echo reply (type=0/code=0)
ttl=249 id=10663 iplen=28

Are you sure this host is really up?  If so, it is strange that it is
replying to the ping packet from a different IP than the one the ping
was sent to.  I normally only see that with subnet-directed broadcast
addresses, so Nmap does not treat the machine as being up unless it
receives the response from the same address it sent to.  It is also
interesting that this target host apparently didn't reply to the port
80 request.  Again, are you sure it is actually up?  What OS is it
running?

Does anyone know if the RFC even allows a machine receiving an ICMP
echo request to respond from a different IP address?  I doubt that is
allowed, but I'm not certain.

Cheers,
-F

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault