Nmap Development mailing list archives
Re: Why does nmap send multiple probes to the same port?
From: Andreas Ericsson <ae () op5 se>
Date: Thu, 12 Jan 2006 12:33:30 +0100
Casey Williams wrote:
On 04:37 Thu 01/12/06 Jan , Andreas Ericsson wrote:Casey Williams wrote:***pure conjecture ahead*** So I started wondering how nmap was able to be so reliable and yet SO fast (kudos!). Then I realized that it may be sending these "retry" probes to hosts that it doesn't know the status of and that it didn't get a reply from. I've been reading the nmap source and stepping through it, but I haven't verified that this is correct. Am I on the right track? If not, would this tactic be unrecommended?You're missing the point a bit. The error messages means that nmap didn't send those probes. It tried to, but the system told it there was already a connection attempt in progress.I'm slightly off topic since I'm talking about SYN scans instead of connect() scans, and I'm not certain how your reply would apply to these. (If it does apply to SYN scans, I apologize, I'm fairly new to this level of TCP/IP programming and I suppose I need to read more :))
It doesn't. I thought you were referring to the error messages shown above. SYN scan requires root privileges and utilizes raw sockets or raw ethernet frames. Those packets are sent anyway, so long as there's no error on the socket level.
In my case, when I try "nmap -sS -P0..." and I sniff the traffic that gets generated from that scan,
Then you see what's actually sent. The original poster just read the debug messages output by nmap.
I've noticed more than one probe gets sent to the same port on some of the hosts under certain circumstances. I shouldn't see these "extra" probes in the packet capture if NMap didn't actually send them should I?
Nopes, that's true. Or rather, you see them as soon as the kernel has made them available to the pcap interface. There's no guarantee that the packets are actually being sent over the wire (although the kernel tries to and in 99.999999% of the cases they are). The ethernet specification is a bit loose.
Is this the expected behavior, or am I imagining things? :)
It's expected. -- Andreas Ericsson andreas.ericsson () op5 se OP5 AB www.op5.se Tel: +46 8-230225 Fax: +46 8-230231 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- Why does nmap send multiple probes to the same port? chok (Jan 11)
- Re: Why does nmap send multiple probes to the same port? Andreas Ericsson (Jan 11)
- Re: Why does nmap send multiple probes to the same port? Casey Williams (Jan 11)
- Re: Why does nmap send multiple probes to the same port? Andreas Ericsson (Jan 11)
- Re: Why does nmap send multiple probes to the same port? Casey Williams (Jan 11)
- Re: Why does nmap send multiple probes to the same port? Richard van den Berg (Jan 12)
- Re: Why does nmap send multiple probes to the same port? Andreas Ericsson (Jan 12)
- Re: Why does nmap send multiple probes to the same port? Casey Williams (Jan 11)
- Re: Why does nmap send multiple probes to the same port? Andreas Ericsson (Jan 11)
- <Possible follow-ups>
- RE: Why does nmap send multiple probes to the same port? chok (Jan 12)