Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: Documentation issue (-F)
From: Daniel Miller <bonsaiviking () gmail com>
Date: Thu, 12 Apr 2012 16:47:16 -0500

On 04/12/2012 04:29 PM, David Fifield wrote:
On Thu, Apr 12, 2012 at 01:09:50PM -0500, Daniel Miller wrote:
List,

 From the man page:
-F (Fast (limited port) scan) .
       Specifies that you wish to scan fewer ports than the
default. Normally Nmap scans the most common 1,000 ports for each
scanned protocol. With -F, this is reduced to 100.

       Nmap needs an nmap-services file with frequency information
in order to know which ports are the most common. If port
frequency information isn't available, perhaps because of the use
of a custom nmap-services file, -F means to scan only ports that
are named in the services file (normally Nmap scans all named
ports plus ports 1–1024).
Empirically, I see Nmap scans 1000 ports by default, 100 with -F,
and<300 when nmap-services is not available. What is that last
parenthetical statement about? Is this old info which should be
purged?
This is not what I see. When I delete nmap-services from everywhere it
might be found:

$ ./nmap -d3 localhost | egrep -c '^[0-9]+/tcp'
Unable to find nmap-services!  Resorting to /etc/services
Port 2010 proto tcp is duplicated in services file /etc/services
Port 2121 proto tcp is duplicated in services file /etc/services
1200
$ ./nmap -d2 localhost -F | egrep -c '^[0-9]+/tcp'
Unable to find nmap-services!  Resorting to /etc/services
Port 2010 proto tcp is duplicated in services file /etc/services
Port 2121 proto tcp is duplicated in services file /etc/services
313

If you are using "--servicedb /etc/services", --servicedb implies -F, so
you would only see the smaller number.

The part about "all named ports plus ports 1-1024" is this code in
services.cc:

       getpts("1-1024,[1025-]", ports);

David Fifield

Ok, I get it. I was confused by the "normally." This is a small enough issue that I wouldn't press for a change, but if it were to be changed, I'd go for this for the second paragraph:
Nmap needs an nmap-services file with frequency information in order to know which ports are the most common. If port frequency information isn't available, perhaps because of the use of a custom nmap-services file or fallback to the system services file, Nmap scans all named ports plus ports 1–1024. In this case, -F means to scan only ports that are named in
the services file.

This preserves the order that the first paragraph uses: describing the normal case first, then the case with -F. Thanks for the clarification!

Dan

P.S. I didn't know until today that --top-ports works to limit the set of ports specified with -p. So combining --top-ports 100 with -p1025- scans the 100-most-common unprivileged ports. Fun fact of the day!

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]