Home page logo

nmap-dev logo Nmap Development mailing list archives

ACK/URG anomaly
From: "Gisle Vanem" <gvanem () yahoo no>
Date: Thu, 13 Feb 2014 14:43:11 +0100

While using the a 'nmap -sT -O' command to my Linux router (, I see
nmap fails to set ACK/URG flags in some cases where those ACK/URG
fields are non-zero. Commands I used was:
 tcpdump -w nmap.pcap port 53 or port 22   << ! in another shell or background
 nmap -sT -O -p53,22 router
 tshark -Vr nmap.pcap | grep "The urgent pointer field is nonzero"

Details: when the ACK or URG tcp-header field is non-zero, the ACK or URG
flags should also be set. I haven't looked at other flags. From the Wireshark Expert
info when analyzing the nmap.pcap-file:
   [The acknowledgment number field is nonzero while the ACK flag is not set]
   [The urgent pointer field is nonzero while the URG flag is not set]

Is this working-as-designed? Otherwise it should be made clear in the code+docs somewhere (Xmas scan exempted?). AFAICS it isn't. So I assume
libnetutil/TCPheader.cc is to blame here. But I fail to see how.

I've ran the above commands on Win-XP SP3 (MSVC compiled nmap). Can anybody confirm this on Windows or elsewhere?
Attached is nmap.pcap from above windump session.


Attachment: nmap.pcap

Sent through the dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
  • ACK/URG anomaly Gisle Vanem (Feb 13)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]