Re: Can't see nmap traffic

[Diman Todorov <diman () xover htu tuwien ac at>]

On Nov 9, 2007, at 1:47 PM, Kris Katterjohn wrote:

> On Nov 9, 2007 5:36 AM, Walker JWalker <j_walker2 () hotmail com> wrote:
> > When I scan my local network I can't see the traffic nmap  
> > generates.  I've tried both Windows XP SP2 and Backtrack 2 in  
> > VMWare, and both tcpdump and Wireshark both listening on the  
> > correct interface with no luck.  The only time I'm able to see the  
> > packets is if I scan anything other than 192.168.1.0/24.
> >
> > K:\nmap-4.20>nmap -sP 192.168.1.65/26
> >
> > Starting Nmap 4.20 ( http://insecure.org ) at 2007-11-08 22:44  
> > Eastern Standard
> > Time
> > Host 192.168.1.100 appears to be up.
> > MAC Address: 00:00:C5:B5:94:8F (Farallon Computing/netopia)
> > Host 192.168.1.101 appears to be up.
> > Host 192.168.1.102 appears to be up.
> > MAC Address: 00:0C:29:7C:C9:CB (VMware)
> > Nmap finished: 64 IP addresses (3 hosts up) scanned in 2.328 seconds
> >
> > Mean while an ICMP filter on both Wireshark and tcpdump show no  
> > output.  Anyone know what could be wrong?  I really need to get  
> > this fixed.
>
> Did you always filter for ICMP?  When you're scanning a local LAN,
> Nmap uses ARP packets for the ping scan as this is much more
> efficient.

this is only 1/2 of the truth ;)

<cited from: http://insecure.org/nmap/man/man-host-discovery.html >
The -sP option sends an ICMP echo request and a TCP packet to port 80  
by default. When executed by an unprivileged user, only a SYN packet  
is sent (using a connect() call) to port 80 on the target. When a  
privileged user tries to scan targets on a local ethernet network, ARP  
requests (-PR) are used unless --send-ip was specified. The -sP option  
can be combined with any of the discovery probe types (the -P*  
options, excluding -PN) for greater flexibility. If any of those probe  
type and port number options are used, the default probes (ACK and  
echo request) are overridden. When strict firewalls are in place  
between the source host running Nmap and the target network, using  
those advanced techniques is recommended. Otherwise hosts could be  
missed when the firewall drops probes or their responses.
</cited>

I am not sure but I believe to remember that on windows machines nmap  
doesn't support scan types which involve raw packets. I also think  
that nmap uses raw packets for ICMP scans. Verifying these memories of  
mine should be simple - I tend to rely on them however because I don't  
see why else ICMP echo requests should be omitted when you aren't root.

cheers,
Diman


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org