RE: nmap ?

[Michael Chrisco <MChrisco () jackhenry com>]

Awesome Thanks,

I just noticed that it actually does a 2nd ARP for the ones that don’t respond? Ver 6 and 7.
Ex. if I scan /24 with 256 and get 89 host up I actually see 422 packets sent to the brodcast. So 256 the first time + 
(256-89-my own too) the second time is 166  = 422.
Guess it makes sense to double check once.


From: Daniel Miller [mailto:bonsaiviking () gmail com]
Sent: Monday, January 11, 2016 3:42 PM
To: Michael Chrisco <MChrisco () jackhenry com>
Cc: Nmap-dev <dev () nmap org>
Subject: Re: nmap ?

The e-mail below is from an external source.  Please do not open attachments or click links from an unknown or 
suspicious origin.
Michael,
Please keep dev () nmap org<mailto:dev () nmap org> CC'd on replies so that other users can see the answers. Response 
inline below:

On Mon, Jan 11, 2016 at 2:16 PM, Michael Chrisco <MChrisco () jackhenry com<mailto:MChrisco () jackhenry com>> wrote:
Thank you so much for a response.

So my original issue with udp 68 seems like a vmware issue. If you scan a guest OS the host OS responds for it on udp 
68. The –reason let me know it was the other IP that responded. I will ask vmware about that.
Try it on a VM and look at response. nmap -sU -p 68 -Pn --reason
[cid:image001.png@01D14C89.CF41C6C0]

I'm glad you got that solved. --reason is a handy option, which is why we recently enabled it for -v2 and higher.

Now since you responded the first time I have another question. I always used nmap -sn -n -Pn -PR to do a pure ARP scan 
and could verify with wire shark that ARP packets are the only thing that is transmitted. I upgraded to nmap 7.01 and 
that command doesn’t send any packets on the wire and comes back with the entire range is active/up. Ex. /24 = 256 host.

I went back to ver 6.47 and it behaves like it used to. So is this a bug? Depreciated options? Is there a new way to do 
a ARP scan with no other packets being transmitted at all?

I had forgotten about this change, r33334 [1]. Now -Pn *does* override -PR, and in fact overrides all -P* options. 
Previously, it could override them *if* it occurred "later" in the options list, so the behavior was dependent on the 
order of the options. Your command will still work if you just remove -Pn from the options list. -PR will force an ARP 
ping, and if the host is not directly connected it will show as down without any packets sent (except for a forward DNS 
lookup if necessary).
Dan

[1] https://github.com/nmap/nmap/commit/e525388f36de525225ffef8463c67a0047670542
NOTICE: This electronic mail message and any files transmitted with it are intended
exclusively for the individual or entity to which it is addressed. The message, 
together with any attachment, may contain confidential and/or privileged information.
Any unauthorized review, use, printing, saving, copying, disclosure or distribution 
is strictly prohibited. If you have received this message in error, please 
immediately advise the sender by reply email and delete all copies.

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/