Re: Nmap/netwag problem.

[Fyodor <fyodor () insecure org>]

On Thu, Aug 11, 2005 at 04:07:41PM +0100, Paul J Docherty wrote:
> the question, which was I think, "which port scanner is giving the
> correct results?" As many others have elegantly answered use a
> packet sniffer and look at the raw data to see what's going on.

Many people have given that answer, and it is a good one.  But people
should also be aware of Nmap's --packet_trace feature, which is a very
easy way to see what packets Nmap is sending and receiving.  Let's
look at a quick example:

# nmap -P0 -p80,99,113 scanme.nmap.org

Starting nmap 3.84ALPHA1 ( http://www.insecure.org/nmap/ ) at 2005-08-12 15:18 PDT
Interesting ports on scanme.nmap.org (205.217.153.62):
PORT    STATE    SERVICE
80/tcp  open     http
99/tcp  filtered metagram
113/tcp closed   auth

Nmap finished: 1 IP address (1 host up) scanned in 1.272 seconds

Here we do a SYN scan (with no initial ping) against three ports, and
Nmap classifies them into 3 different states.  As posters to this
thread have explained, you sometimes want to know exactly _why_ Nmap
has classified them as it has.  To answer this question, simply add
--packet_trace to the command above:

# nmap -P0 --packet_trace -p80,99,113 scanme.nmap.org

Starting nmap 3.84ALPHA1 ( http://www.insecure.org/nmap/ ) at 2005-08-12 15:19 PDT
SENT (0.0120s) TCP 69.232.198.12:54012 > 205.217.153.62:113 S ttl=41 id=51165 iplen=40 seq=2511044273 win=2048
SENT (0.0120s) TCP 69.232.198.12:54012 > 205.217.153.62:80 S ttl=48 id=31631 iplen=40 seq=2511044273 win=1024
SENT (0.0160s) TCP 69.232.198.12:54012 > 205.217.153.62:99 S ttl=45 id=62221 iplen=40 seq=2511044273 win=2048
RCVD (0.0250s) TCP 205.217.153.62:113 > 69.232.198.12:54012 RA ttl=245 id=0 iplen=40 seq=0 win=0 ack=2511044274
RCVD (0.0260s) TCP 205.217.153.62:80 > 69.232.198.12:54012 SA ttl=54 id=0 iplen=44 seq=536353456 win=5840 ack=2511044274
SENT (1.1190s) TCP 69.232.198.12:54013 > 205.217.153.62:99 S ttl=48 id=24051 iplen=40 seq=2510978736 win=1024
Interesting ports on scanme.nmap.org (205.217.153.62):
PORT    STATE    SERVICE
80/tcp  open     http
99/tcp  filtered metagram
113/tcp closed   auth

Nmap finished: 1 IP address (1 host up) scanned in 1.232 seconds

As you can see above, Nmap starts by sending a SYN probe back to each
of the three ports.  Port 113 replies with the RA (RST/ACK) flags and
thus is listed by Nmap as closed.  Port 80 returns SA (SYN/ACK) and so
is listed as open.  Port 99 does not reply, so Nmap retransmits after
1.1 seconds.  There is still no reply, so Nmap lists the port as
filtered.

I hope this helps.  3.84ALPHA1 has not been formally released, but it
offers many improvements from 3.81 and you can snag a copy from
http://seclists.org/lists/nmap-dev/2005/Jul-Sep/0041.html .  You don't
ned this for --packet_trace though, as it has been around (and
steadily improving) since 2002.

Cheers,
Fyodor