Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: Can't see nmap traffic
From: "Kris Katterjohn" <katterjohn () gmail com>
Date: Fri, 9 Nov 2007 14:07:21 -0600

On Nov 9, 2007 7:41 AM, Diman Todorov <diman () xover htu tuwien ac at> wrote:

On Nov 9, 2007, at 1:47 PM, Kris Katterjohn wrote:


On Nov 9, 2007 5:36 AM, Walker JWalker <j_walker2 () hotmail com> wrote:

When I scan my local network I can't see the traffic nmap
generates.  I've tried both Windows XP SP2 and Backtrack 2 in
VMWare, and both tcpdump and Wireshark both listening on the
correct interface with no luck.  The only time I'm able to see the
packets is if I scan anything other than 192.168.1.0/24.

K:\nmap-4.20>nmap -sP 192.168.1.65/26

Starting Nmap 4.20 ( http://insecure.org ) at 2007-11-08 22:44
Eastern Standard
Time
Host 192.168.1.100 appears to be up.
MAC Address: 00:00:C5:B5:94:8F (Farallon Computing/netopia)
Host 192.168.1.101 appears to be up.
Host 192.168.1.102 appears to be up.
MAC Address: 00:0C:29:7C:C9:CB (VMware)
Nmap finished: 64 IP addresses (3 hosts up) scanned in 2.328 seconds

Mean while an ICMP filter on both Wireshark and tcpdump show no
output.  Anyone know what could be wrong?  I really need to get
this fixed.


Did you always filter for ICMP?  When you're scanning a local LAN,
Nmap uses ARP packets for the ping scan as this is much more
efficient.

this is only 1/2 of the truth ;)

<cited from: http://insecure.org/nmap/man/man-host-discovery.html >
The -sP option sends an ICMP echo request and a TCP packet to port 80
by default. When executed by an unprivileged user, only a SYN packet
is sent (using a connect() call) to port 80 on the target. When a
privileged user tries to scan targets on a local ethernet network, ARP
requests (-PR) are used unless --send-ip was specified. The -sP option
can be combined with any of the discovery probe types (the -P*
options, excluding -PN) for greater flexibility. If any of those probe
type and port number options are used, the default probes (ACK and
echo request) are overridden. When strict firewalls are in place
between the source host running Nmap and the target network, using
those advanced techniques is recommended. Otherwise hosts could be
missed when the firewall drops probes or their responses.
</cited>

I am not sure but I believe to remember that on windows machines nmap
doesn't support scan types which involve raw packets. I also think
that nmap uses raw packets for ICMP scans. Verifying these memories of
mine should be simple - I tend to rely on them however because I don't
see why else ICMP echo requests should be omitted when you aren't root.

cheers,
Diman


IIRC Windows uses the libdnet to send raw Ethernet frames rather than
sending packets via raw sockets.  So if it's not Ethernet, only things
like -sT will work.

But that's only on XP SP2 I think.

Either way, he replied back to me and said that checking for ARP
packets yielded the expected results.

Thanks,
Kris Katterjohn

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault