Nmap Development mailing list archives
Re: Can't see nmap traffic
From: Diman Todorov <diman () xover htu tuwien ac at>
Date: Fri, 9 Nov 2007 14:41:45 +0100
On Nov 9, 2007, at 1:47 PM, Kris Katterjohn wrote:
On Nov 9, 2007 5:36 AM, Walker JWalker <j_walker2 () hotmail com> wrote:When I scan my local network I can't see the traffic nmap generates. I've tried both Windows XP SP2 and Backtrack 2 in VMWare, and both tcpdump and Wireshark both listening on the correct interface with no luck. The only time I'm able to see the packets is if I scan anything other than 192.168.1.0/24. K:\nmap-4.20>nmap -sP 192.168.1.65/26 Starting Nmap 4.20 ( http://insecure.org ) at 2007-11-08 22:44 Eastern Standard Time Host 192.168.1.100 appears to be up. MAC Address: 00:00:C5:B5:94:8F (Farallon Computing/netopia) Host 192.168.1.101 appears to be up. Host 192.168.1.102 appears to be up. MAC Address: 00:0C:29:7C:C9:CB (VMware) Nmap finished: 64 IP addresses (3 hosts up) scanned in 2.328 seconds Mean while an ICMP filter on both Wireshark and tcpdump show no output. Anyone know what could be wrong? I really need to get this fixed.Did you always filter for ICMP? When you're scanning a local LAN, Nmap uses ARP packets for the ping scan as this is much more efficient.
this is only 1/2 of the truth ;) <cited from: http://insecure.org/nmap/man/man-host-discovery.html > The -sP option sends an ICMP echo request and a TCP packet to port 80 by default. When executed by an unprivileged user, only a SYN packet is sent (using a connect() call) to port 80 on the target. When a privileged user tries to scan targets on a local ethernet network, ARP requests (-PR) are used unless --send-ip was specified. The -sP option can be combined with any of the discovery probe types (the -P* options, excluding -PN) for greater flexibility. If any of those probe type and port number options are used, the default probes (ACK and echo request) are overridden. When strict firewalls are in place between the source host running Nmap and the target network, using those advanced techniques is recommended. Otherwise hosts could be missed when the firewall drops probes or their responses. </cited> I am not sure but I believe to remember that on windows machines nmap doesn't support scan types which involve raw packets. I also think that nmap uses raw packets for ICMP scans. Verifying these memories of mine should be simple - I tend to rely on them however because I don't see why else ICMP echo requests should be omitted when you aren't root. cheers, Diman _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Can't see nmap traffic Walker JWalker (Nov 09)
- Re: Can't see nmap traffic Kris Katterjohn (Nov 09)
- Re: Can't see nmap traffic Diman Todorov (Nov 09)
- Re: Can't see nmap traffic Kris Katterjohn (Nov 09)
- Re: Can't see nmap traffic Diman Todorov (Nov 09)
- Re: Can't see nmap traffic Kris Katterjohn (Nov 09)