Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Spurious closed port detection?

From: David Fifield <david () bamsoftware com>
Date: Sat, 7 Jan 2012 16:32:07 -0800
I'm seeing something strange I can't recall having seen before.
Sometimes when doing a scan with the default host discovery, port 80
appears as closed when it's really open.

$ sudo ./nmap -n -p 80 nmap.org --reason --packet-trace
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-01-07 16:29 PST
SENT (0.1280s) ICMP 192.168.0.21 > 74.207.254.18 Echo request (type=8/code=0) ttl=55 id=14886 iplen=28
SENT (0.1281s) TCP 192.168.0.21:53940 > 74.207.254.18:443 S ttl=59 id=23310 iplen=44  seq=3166348013 win=1024 <mss 1460>
SENT (0.1282s) TCP 192.168.0.21:53940 > 74.207.254.18:80 A ttl=59 id=35665 iplen=40  seq=0 win=1024
SENT (0.1282s) ICMP 192.168.0.21 > 74.207.254.18 Timestamp request (type=13/code=0) ttl=57 id=48480 iplen=40
RCVD (0.1405s) ICMP 74.207.254.18 > 192.168.0.21 Echo reply (type=0/code=0) ttl=53 id=45259 iplen=28
SENT (0.1439s) TCP 192.168.0.21:53940 > 74.207.254.18:80 S ttl=44 id=34733 iplen=44  seq=2633603725 win=1024 <mss 1460>
RCVD (0.1440s) TCP 74.207.254.18:80 > 192.168.0.21:53940 R ttl=53 id=0 iplen=40  seq=3166348013 win=0
Nmap scan report for nmap.org (74.207.254.18)
Host is up, received echo-reply (0.011s latency).
PORT   STATE  SERVICE REASON
80/tcp closed http    reset

This happens a minority of the time over IPv4. Perhaps 19 times out of
20 I get the expected:

$ sudo ./nmap -n -p 80 nmap.org --reason --packet-trace
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-01-07 16:30 PST
SENT (0.0977s) ICMP 192.168.0.21 > 74.207.254.18 Echo request (type=8/code=0) ttl=54 id=20676 iplen=28
SENT (0.0978s) TCP 192.168.0.21:48346 > 74.207.254.18:443 S ttl=44 id=41206 iplen=44  seq=3988308439 win=1024 <mss 1460>
SENT (0.0978s) TCP 192.168.0.21:48346 > 74.207.254.18:80 A ttl=37 id=34208 iplen=40  seq=0 win=1024
SENT (0.0979s) ICMP 192.168.0.21 > 74.207.254.18 Timestamp request (type=13/code=0) ttl=39 id=34619 iplen=40
RCVD (0.1098s) ICMP 74.207.254.18 > 192.168.0.21 Echo reply (type=0/code=0) ttl=53 id=45260 iplen=28
SENT (0.1624s) TCP 192.168.0.21:48346 > 74.207.254.18:80 S ttl=56 id=45554 iplen=44  seq=2651790094 win=1024 <mss 1460>
RCVD (0.1751s) TCP 74.207.254.18:80 > 192.168.0.21:48346 SA ttl=53 id=0 iplen=44  seq=3034488989 win=14600 <mss 1460>
Nmap scan report for nmap.org (74.207.254.18)
Host is up, received echo-reply (0.012s latency).
PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack

It happens a little more reliably over IPv6. (Through a tunnelbroker.net
tunnel.)

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: