Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: Problem with --traceroute option with 6.00 and 6.25
From: David Fifield <david () bamsoftware com>
Date: Fri, 26 Jul 2013 22:02:08 -0700

On Thu, Jul 04, 2013 at 09:12:09AM +0200, Jorge García - Bardok wrote:
I've just updated the nmap version I use with my students at school in
order to have all prepared for next year (sec. school, we teach them what a
network topology is using zenmap). Since this new version only two hosts
appear in traceroute.

This is the output with 6.25 (zenmap quick traceroute, both Windows and
Linux, also tried with 6.00 from the Ubuntu repo and a compiled 6.25):

I think the difference may be that 6.25 is using TCP (80/tcp) for the
traceroute, and 5.51 is using ICMP (1/icmp).

Starting Nmap 6.25 ( http://nmap.org ) at 2013-07-04 09:04 Hora de verano romance
TRACEROUTE (using port 80/tcp)

Starting Nmap 5.51 ( http://nmap.org ) at 2013-07-04 09:02 Hora de verano romance
TRACEROUTE (using proto 1/icmp)

I suspect that there is some kind of HTTP proxy or firewall that is
making the target appear to be accesible with a TTL of 2.

Try this to prevent any TCP probes from being sent:
        nmap -sn -PE --traceroute www.google.com
We changed it so that traceroute can use the information gained from
host discovery as regards what probes get responses. That change might
have been made between 5.51 and 6.25. That would explain why 5.51
defaults to ICMP and 6.25 uses TCP (because the target replied to a TCP
probe during host discovery).

The reply during host discovery appears to be "reset". This would have
been in response to an ACK packet to port 80, which is one of the
default host discovery probes.
<status state="up" reason="reset" reason_ttl="127"/>

The responses for ports 80 and 443 have different TTLs, which further
makes me think that there is some kind of proxy two hops from you.
<port protocol="tcp" portid="80"><state state="open" reason="syn-ack" reason_ttl="54"/><service name="http" 
method="table" conf="3"/></port>
<port protocol="tcp" portid="443"><state state="open" reason="syn-ack" reason_ttl="52"/><service name="https" 
method="table" conf="3"/></port>

David Fifield
Sent through the dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]