Nmap Development mailing list archives
Spurious closed port detection?
From: David Fifield <david () bamsoftware com>
Date: Sat, 7 Jan 2012 16:32:07 -0800
I'm seeing something strange I can't recall having seen before. Sometimes when doing a scan with the default host discovery, port 80 appears as closed when it's really open. $ sudo ./nmap -n -p 80 nmap.org --reason --packet-trace Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-01-07 16:29 PST SENT (0.1280s) ICMP 192.168.0.21 > 74.207.254.18 Echo request (type=8/code=0) ttl=55 id=14886 iplen=28 SENT (0.1281s) TCP 192.168.0.21:53940 > 74.207.254.18:443 S ttl=59 id=23310 iplen=44 seq=3166348013 win=1024 <mss 1460> SENT (0.1282s) TCP 192.168.0.21:53940 > 74.207.254.18:80 A ttl=59 id=35665 iplen=40 seq=0 win=1024 SENT (0.1282s) ICMP 192.168.0.21 > 74.207.254.18 Timestamp request (type=13/code=0) ttl=57 id=48480 iplen=40 RCVD (0.1405s) ICMP 74.207.254.18 > 192.168.0.21 Echo reply (type=0/code=0) ttl=53 id=45259 iplen=28 SENT (0.1439s) TCP 192.168.0.21:53940 > 74.207.254.18:80 S ttl=44 id=34733 iplen=44 seq=2633603725 win=1024 <mss 1460> RCVD (0.1440s) TCP 74.207.254.18:80 > 192.168.0.21:53940 R ttl=53 id=0 iplen=40 seq=3166348013 win=0 Nmap scan report for nmap.org (74.207.254.18) Host is up, received echo-reply (0.011s latency). PORT STATE SERVICE REASON 80/tcp closed http reset This happens a minority of the time over IPv4. Perhaps 19 times out of 20 I get the expected: $ sudo ./nmap -n -p 80 nmap.org --reason --packet-trace Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-01-07 16:30 PST SENT (0.0977s) ICMP 192.168.0.21 > 74.207.254.18 Echo request (type=8/code=0) ttl=54 id=20676 iplen=28 SENT (0.0978s) TCP 192.168.0.21:48346 > 74.207.254.18:443 S ttl=44 id=41206 iplen=44 seq=3988308439 win=1024 <mss 1460> SENT (0.0978s) TCP 192.168.0.21:48346 > 74.207.254.18:80 A ttl=37 id=34208 iplen=40 seq=0 win=1024 SENT (0.0979s) ICMP 192.168.0.21 > 74.207.254.18 Timestamp request (type=13/code=0) ttl=39 id=34619 iplen=40 RCVD (0.1098s) ICMP 74.207.254.18 > 192.168.0.21 Echo reply (type=0/code=0) ttl=53 id=45260 iplen=28 SENT (0.1624s) TCP 192.168.0.21:48346 > 74.207.254.18:80 S ttl=56 id=45554 iplen=44 seq=2651790094 win=1024 <mss 1460> RCVD (0.1751s) TCP 74.207.254.18:80 > 192.168.0.21:48346 SA ttl=53 id=0 iplen=44 seq=3034488989 win=14600 <mss 1460> Nmap scan report for nmap.org (74.207.254.18) Host is up, received echo-reply (0.012s latency). PORT STATE SERVICE REASON 80/tcp open http syn-ack It happens a little more reliably over IPv6. (Through a tunnelbroker.net tunnel.) David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Spurious closed port detection? David Fifield (Jan 07)