Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: Can't see nmap traffic
From: Diman Todorov <diman () xover htu tuwien ac at>
Date: Fri, 9 Nov 2007 14:41:45 +0100


On Nov 9, 2007, at 1:47 PM, Kris Katterjohn wrote:

On Nov 9, 2007 5:36 AM, Walker JWalker <j_walker2 () hotmail com> wrote:

When I scan my local network I can't see the traffic nmap  
generates.  I've tried both Windows XP SP2 and Backtrack 2 in  
VMWare, and both tcpdump and Wireshark both listening on the  
correct interface with no luck.  The only time I'm able to see the  
packets is if I scan anything other than 192.168.1.0/24.

K:\nmap-4.20>nmap -sP 192.168.1.65/26

Starting Nmap 4.20 ( http://insecure.org ) at 2007-11-08 22:44  
Eastern Standard
Time
Host 192.168.1.100 appears to be up.
MAC Address: 00:00:C5:B5:94:8F (Farallon Computing/netopia)
Host 192.168.1.101 appears to be up.
Host 192.168.1.102 appears to be up.
MAC Address: 00:0C:29:7C:C9:CB (VMware)
Nmap finished: 64 IP addresses (3 hosts up) scanned in 2.328 seconds

Mean while an ICMP filter on both Wireshark and tcpdump show no  
output.  Anyone know what could be wrong?  I really need to get  
this fixed.


Did you always filter for ICMP?  When you're scanning a local LAN,
Nmap uses ARP packets for the ping scan as this is much more
efficient.

this is only 1/2 of the truth ;)

<cited from: http://insecure.org/nmap/man/man-host-discovery.html >
The -sP option sends an ICMP echo request and a TCP packet to port 80  
by default. When executed by an unprivileged user, only a SYN packet  
is sent (using a connect() call) to port 80 on the target. When a  
privileged user tries to scan targets on a local ethernet network, ARP  
requests (-PR) are used unless --send-ip was specified. The -sP option  
can be combined with any of the discovery probe types (the -P*  
options, excluding -PN) for greater flexibility. If any of those probe  
type and port number options are used, the default probes (ACK and  
echo request) are overridden. When strict firewalls are in place  
between the source host running Nmap and the target network, using  
those advanced techniques is recommended. Otherwise hosts could be  
missed when the firewall drops probes or their responses.
</cited>

I am not sure but I believe to remember that on windows machines nmap  
doesn't support scan types which involve raw packets. I also think  
that nmap uses raw packets for ICMP scans. Verifying these memories of  
mine should be simple - I tend to rely on them however because I don't  
see why else ICMP echo requests should be omitted when you aren't root.

cheers,
Diman


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]