Nmap Development mailing list archives

Re: Nmap unknown guess packets that don't receive?

From: Martin Mačok <martin.macok () underground cz>
Date: Fri, 3 Dec 2004 10:01:08 +0100

On Thu, Dec 02, 2004 at 12:45:07PM +0100, Listas - ISecAuditors wrote:

# nmap 3.70 scan initiated Thu Dec  2 11:57:40 2004 as: nmap -sS -v -n 
--packet_trace -p 80-81 -oN nmap-ACK.log --scanflags ACK yy.yy.yy.yy

SENT (0.0050s) ICMP xx.xx.xx.xx > yy.yy.yy.yy Echo request 
(type=8/code=0) ttl=59 id=19541 iplen=28
SENT (0.0050s) TCP xx.xx.xx.xx:43998 > yy.yy.yy.yy:80 A ttl=57 
id=14988 iplen=40 seq=3834672862 win=2048 ack=223377118
RCVD (0.0060s) TCP 80.224.33.160:80 > xx.xx.xx.xx:43998 R ttl=255 
id=47948 iplen=40 seq=223377118 win=0


You've sent ACK to yy.yy.yy.yy:80 and received RST from
80.224.33.160:80. My guess is that yy.yy.yy.yy != 80.224.33.160 (even
TTLs are different for RST and Echo Reply packets). RST came
probably from firewall host in between.

And that's the tcpdump capture:


What was the command line used to capture this? You've probably used
a filter to see just "host yy.yy.yy.yy", haven't you? This could
explain why you didn't see RST packet with it...

Martin Mačok
IT Security Consultant

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org

Current thread:

Nmap unknown guess packets that don't receive? Listas - ISecAuditors (Dec 02)
- Re: Nmap unknown guess packets that don't receive? Martin Mačok (Dec 03)