Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: Can't see nmap traffic
From: "Kris Katterjohn" <katterjohn () gmail com>
Date: Fri, 9 Nov 2007 14:07:21 -0600

On Nov 9, 2007 7:41 AM, Diman Todorov <diman () xover htu tuwien ac at> wrote:

On Nov 9, 2007, at 1:47 PM, Kris Katterjohn wrote:

On Nov 9, 2007 5:36 AM, Walker JWalker <j_walker2 () hotmail com> wrote:

When I scan my local network I can't see the traffic nmap
generates.  I've tried both Windows XP SP2 and Backtrack 2 in
VMWare, and both tcpdump and Wireshark both listening on the
correct interface with no luck.  The only time I'm able to see the
packets is if I scan anything other than

K:\nmap-4.20>nmap -sP

Starting Nmap 4.20 ( http://insecure.org ) at 2007-11-08 22:44
Eastern Standard
Host appears to be up.
MAC Address: 00:00:C5:B5:94:8F (Farallon Computing/netopia)
Host appears to be up.
Host appears to be up.
MAC Address: 00:0C:29:7C:C9:CB (VMware)
Nmap finished: 64 IP addresses (3 hosts up) scanned in 2.328 seconds

Mean while an ICMP filter on both Wireshark and tcpdump show no
output.  Anyone know what could be wrong?  I really need to get
this fixed.

Did you always filter for ICMP?  When you're scanning a local LAN,
Nmap uses ARP packets for the ping scan as this is much more

this is only 1/2 of the truth ;)

<cited from: http://insecure.org/nmap/man/man-host-discovery.html >
The -sP option sends an ICMP echo request and a TCP packet to port 80
by default. When executed by an unprivileged user, only a SYN packet
is sent (using a connect() call) to port 80 on the target. When a
privileged user tries to scan targets on a local ethernet network, ARP
requests (-PR) are used unless --send-ip was specified. The -sP option
can be combined with any of the discovery probe types (the -P*
options, excluding -PN) for greater flexibility. If any of those probe
type and port number options are used, the default probes (ACK and
echo request) are overridden. When strict firewalls are in place
between the source host running Nmap and the target network, using
those advanced techniques is recommended. Otherwise hosts could be
missed when the firewall drops probes or their responses.

I am not sure but I believe to remember that on windows machines nmap
doesn't support scan types which involve raw packets. I also think
that nmap uses raw packets for ICMP scans. Verifying these memories of
mine should be simple - I tend to rely on them however because I don't
see why else ICMP echo requests should be omitted when you aren't root.


IIRC Windows uses the libdnet to send raw Ethernet frames rather than
sending packets via raw sockets.  So if it's not Ethernet, only things
like -sT will work.

But that's only on XP SP2 I think.

Either way, he replied back to me and said that checking for ARP
packets yielded the expected results.

Kris Katterjohn

Sent through the nmap-dev mailing list
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]