Nmap Development mailing list archives

Nmap unknown guess packets that don't receive?

From: Listas - ISecAuditors <listas () isecauditors com>
Date: Thu, 02 Dec 2004 12:45:07 +0100

Hi all,

I was doing some test/captures and see an extrange behabiour.

I'm scanning a server that only has open two ports (25,53), all therest is filtered, but when the machine is scanned without -P0 optionscanning two random filtered ports, nmap sais it receives (usingpacket_trace option) a response that during the scan is not reallyreceived.


That's the nmap output trace:

# nmap 3.70 scan initiated Thu Dec 2 11:57:40 2004 as: nmap -sS -v -n--packet_trace -p 80-81 -oN nmap-ACK.log --scanflags ACK yy.yy.yy.yy

SENT (0.0050s) ICMP xx.xx.xx.xx > yy.yy.yy.yy Echo request(type=8/code=0) ttl=59 id=19541 iplen=28SENT (0.0050s) TCP xx.xx.xx.xx:43998 > yy.yy.yy.yy:80 A ttl=57id=14988 iplen=40 seq=3834672862 win=2048 ack=223377118RCVD (0.0060s) TCP 80.224.33.160:80 > xx.xx.xx.xx:43998 R ttl=255id=47948 iplen=40 seq=223377118 win=0RCVD (0.0940s) ICMP yy.yy.yy.yy > xx.xx.xx.xx Echo reply(type=0/code=0) ttl=54 id=34774 iplen=28SENT (0.4490s) TCP xx.xx.xx.xx:43974 > yy.yy.yy.yy:80 A ttl=37id=62545 iplen=40 seq=2036036893 win=2048 ack=0SENT (0.4500s) TCP xx.xx.xx.xx:43974 > yy.yy.yy.yy:81 A ttl=55id=36092 iplen=40 seq=2036036893 win=4096 ack=0SENT (1.9040s) TCP xx.xx.xx.xx:43975 > yy.yy.yy.yy:81 A ttl=59id=53102 iplen=40 seq=2035971356 win=4096 ack=0SENT (1.9040s) TCP xx.xx.xx.xx:43975 > yy.yy.yy.yy:80 A ttl=37id=14615 iplen=40 seq=2035971356 win=2048 ack=0

Interesting ports on yy.yy.yy.yy:
PORT   STATE    SERVICE
80/tcp filtered http
81/tcp filtered hosts2-ns

# Nmap run completed at Thu Dec 2 11:57:43 2004 -- 1 IP address (1host up) scanned in 2.395 seconds


And that's the tcpdump capture:

11:57:40.959097 IP (tos 0x0, ttl 59, id 19541, offset 0, flags[none], length: 28) xx.xx.xx.x > yy.yy.yy.yy: icmp 8: echo request seq5612911:57:40.959442 IP (tos 0x0, ttl 57, id 14988, offset 0, flags[none], length: 40) xx.xx.xx.x.43998 > yy.yy.yy.yy.http: . [tcp sumok] ack 223377118 win 204811:57:41.047321 IP (tos 0x0, ttl 54, id 34774, offset 0, flags[none], length: 28) yy.yy.yy.yy > xx.xx.xx.x: icmp 8: echo reply seq 5612911:57:41.402439 IP (tos 0x0, ttl 37, id 62545, offset 0, flags[none], length: 40) xx.xx.xx.x.43974 > destination.http: . [tcp sumok] ack 0 win 204811:57:41.402977 IP (tos 0x0, ttl 55, id 36092, offset 0, flags[none], length: 40) xx.xx.xx.x.43974 > destination.81: . [tcp sum ok]ack 0 win 409611:57:42.857063 IP (tos 0x0, ttl 59, id 53102, offset 0, flags[none], length: 40) xx.xx.xx.x.43975 > destination.81: . [tcp sum ok]ack 0 win 409611:57:42.857583 IP (tos 0x0, ttl 37, id 14615, offset 0, flags[none], length: 40) xx.xx.xx.x.43975 > destination.http: . [tcp sumok] ack 0 win 2048


The ghost packet is the response (RST) from port 80 from

I'm doing something wrong? Any idea about?

---------------------------------------------------------------------

For help using this (nmap-dev) mailing list, send a blank email tonmap-dev-help () insecure org . List archive: http://seclists.org

Current thread:

Nmap unknown guess packets that don't receive? Listas - ISecAuditors (Dec 02)
- Re: Nmap unknown guess packets that don't receive? Martin Mačok (Dec 03)