Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Bug report? nmap seems to sometimes omit results for no apparent reason...

From: Peter Valdemar Mørch <peter () morch com>
Date: Mon, 24 Aug 2015 04:43:21 +0200
Hi,

Periodically, we issue

nmap -oG - -PE --send-ip -sU -p 161 -iL <file>

We se that the list of hosts discovered vary quite a bit from run to run.
I've started a tshark/wireshark trace focussing on a particular host, and I
can't see the difference between scans where a particular host is included
and those where the host is omitted.

When it is included, it first does an ICMP ping that succeeds, then an
ARP(?), followed by a bogus SNMPv3 request. When omitted, an ICMP ping that
succeeds, then an ARP(?). But no SNMPv3 request. I don't see why not. (When
nmap reports a particular host as supporting SNMP, our application does an
SNMPv2 get on sysName.0 and 3 other OIDs - so that isn't from nmap).

Can anybody see why nmap decides not to report some hosts sometimes?

Sincerely,

Peter

********************
Details:
********************

https://gist.github.com/pmorch/95d240ade96228468ed2 is a github gist
containing:

* included-13:25:06.nmap.txt
* omitted-13:30:06.nmap.txt
* host172.22.216.18.pcap

An nmap is run every 5 minutes using params like above. We've focused on
172.22.216.18, which is omitted from the results ca. once or twice every 24
hours using

The hosts are scanned using an -iL <file> containing a list of IPs
corresponding to 172.22.216.0/24

included-13:25:06.nmap.txt shows a run where 172.22.216.18 was included and
5 minutes later omitted-13:30:06.nmap.txt shows a run where it was omitted.

As can be seen from the difference between included-*.txt and
omitted-*.txt, the lists of hosts that are reported differ significantly
between runs. Even though the scans where done on a Sunday, and I'm quite
sure nobody was messing with network settings during the weekend. I did
however, only focus on a single host in my analysis.

The tshark was run like so: tshark -w host172.22.216.18.pcap -f host
172.22.216.18.

This is all done on a local ethernet network.
-- 
Peter Valdemar Mørch
http://www.morch.com

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: