Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: Test for open TCP/UDP Ports
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Thu, 3 Apr 2008 06:39:51 +0000

Hash: SHA1


There is a fundamental difference in the way TCP and UDP work.  With
TCP you setup a connection via a "full handshake" as you call it.  It
is this handshake and the subsequent acknowledgment of data that give
TCP its reliability.  UDP on the other-hand does not have any such
connection setup or acknowledgement built in.  Any UDP packet you get
in response to a probe is entirely up to the application that has the
listening UDP socket.  In fact, the only time you'd only expect to get
a packet back when you send to a closed UDP port (ICMP destination

Even with the --data-length 10 directive, most applications will not
respond to your probe.  One way to try to determine if a UDP port is
open versus filtered is to use "service version" detection with -sV.
The Nmap service fingerprinting engine knows about quite a few UDP
protocols and can often send probes that will illicit a response.

Nmap has *excellent* documentation and you can read a little bit about
the port scanning techniques here:


James "Professor" Messer has put together quite a bit of training
material on Nmap too.  Here is some of his work covering UDP scans:


UDP scans are valuable but you'll probably want to limit your scans to
just a handful of UDP ports like 53, 137, 161, 1900, etc.

The Unicornscan guys have done a lot of work with UDP and have the
ability to automatically send UDP packets with targeted payload to each
service _during_ the actual scanning.  It basically won't work against
hosts that rate-limit ICMP messages though.  You might want to check it


On Thu, 03 Apr 2008 08:24:51 +0200 or thereabouts "ml () bortal de"
<ml () bortal de> wrote:

Hello List,

i would like to test if i can reach an open TCP and UDP Port.

Here is the way i use to test a tcp port (-sT does a full handshake,
   /usr/bin/nmap -sT --data-length 10 -n -q -r -e eth0:0 -P0 --open -T
Aggressive -p 1234
The results seem to make sense here.

This is the way how i check a UDP Port:
   /usr/bin/nmap -sU --data-length 10 -n -q -r -e eth0:0 -P0 --open -T
Aggressive -p 1234

the weird thing is that it still reports an open port if i unplug the
network cable of 123.123.123.

Where can i read up how nmap does its udp scan?

Thanks, Mario

Version: GnuPG v2.0.7 (GNU/Linux)


Sent through the nmap-dev mailing list
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]