Nmap Development mailing list archives
Re: NMAP Issue with Ping
From: David Fifield <david () bamsoftware com>
Date: Fri, 13 Nov 2009 11:12:42 -0700
On Fri, Nov 13, 2009 at 08:35:14AM -0800, Louay Saleh wrote:
--- On Wed, 11/11/09, David Fifield <david () bamsoftware com> wrote: From: David Fifield <david () bamsoftware com> Subject: Re: NMAP Issue with Ping To: "Louay Saleh" <lsaleh77 () yahoo com> Cc: nmap-dev () insecure org Date: Wednesday, November 11, 2009, 4:56 PM On Mon, Nov 09, 2009 at 10:30:07PM -0800, Louay Saleh wrote: > I have a strange issue when using Nmap. I have a personal firewall. > When it is enabled, I always get that the target of the scanning as > down (although I am sure that the target is up since I did normal > ping from my CMD and it was replying!) and I have to use the -PN > switch. I thought my firewall was blocking the received packets of the > TCP ping, but when I tried to do a Ping scan (using the -sP swicth, in > order to do ICMP ping), I got the same issue. If I disable my > firewall, everything is OK. I revised my firewall rules, but I could > not find anything blocking the reply from either the TCP ping and the > Ping scans of Nmap. It is very strange....this means that the firewall > blocks only the ping replies (whether TCP or ICMP) related to Nmap, > and allows the normal ping. This is the only conclusion I reached, but > why is that? > > I appreciate your help in advance. That's strange, because Nmap sends the same kind of probes that the ICMP ping program sends. Try running your Nmap scan again, adding the option "--data-length 64". Add the --packet-trace option to see what Nmap is sending and receiving. Nmap always does the same ping probes by default, whether you're port scanning or only pinging with -sP. Even without -sP Nmap will send an ICMP ping as one of its four host discovery probes. Thanks for your fast reply. I tried the "--data-length 64" option but I am still getting the same problem. By the way, I am confused a little bit about the last part. My understanding (and please correct me if I am wrong) that nmap will do a ping scan, then a SYN stealth scan in all case, unless you explicitly specify to do a -sP ping, so in that case it only does a ping scan; which are two probes. So, what do you mean by the 'four discovery probes'?
Nmap used to send two probes for host discovery, but now it sends four because that was found to be more effective. See http://nmap.org/book/man-host-discovery.html. But when the target is on the same Ethernet network, Nmap uses an ARP ping instead. It was recently discovered that some operating systems send their ARP replies in a way that was not understood by Nmap. This has been fixed but the fix is not yet in a released version. Do you know the operating system of the target? I bet this is the issue. Try running the scan with the --send-ip option. That will disable the ARP scan use the normal four-probe IP ping scan. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- NMAP Issue with Ping Louay Saleh (Nov 09)
- Re: NMAP Issue with Ping David Fifield (Nov 11)
- Message not available
- Re: NMAP Issue with Ping David Fifield (Nov 13)
- Re: NMAP Issue with Ping Corey Chandler (Nov 13)
- Re: NMAP Issue with Ping David Fifield (Nov 13)
- Message not available
- Re: NMAP Issue with Ping David Fifield (Nov 11)
- <Possible follow-ups>
- Re: NMAP Issue with Ping David Fifield (Dec 22)