Re: bug - scan fails first time, runs 2nd

[David Fifield <david () bamsoftware com>]

On Wed, Aug 22, 2012 at 06:05:36AM -0700, ^..^ wrote:
> Following up to my own….
>
> (Behavior on Mtn. Lion, nmap v 6.01.)
>
> It looks like nmap is doing an ARP ping scan the first time it looks at something it hasn't seen before; the -vv 
> flags show this:
>
> # nmap -vv -p 80 128.128.128.128
>
> Starting Nmap 6.01 ( http://nmap.org ) at 2012-08-22 05:59 PDT
> Initiating ARP Ping Scan at 05:59
> Scanning 128.128.128.128 [1 port]
> Completed ARP Ping Scan at 05:59, 0.41s elapsed (1 total hosts)
> Nmap scan report for 128.128.128.128 [host down]
> Read data files from: /usr/local/bin/../share/nmap
> Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
> Nmap done: 1 IP address (0 hosts up) scanned in 0.44 seconds
>            Raw packets sent: 2 (56B) | Rcvd: 0 (0B)
>
> sh-3.2# nmap -vv -p 80 128.128.128.128
>
> Starting Nmap 6.01 ( http://nmap.org ) at 2012-08-22 05:59 PDT
> Initiating Ping Scan at 05:59
> Scanning 128.128.128.128 [4 ports]
> Completed Ping Scan at 05:59, 3.02s elapsed (1 total hosts)
> Nmap scan report for 128.128.128.128 [host down]
> Read data files from: /usr/local/bin/../share/nmap
> Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
> Nmap done: 1 IP address (0 hosts up) scanned in 3.05 seconds
>            Raw packets sent: 8 (304B) | Rcvd: 0 (0B)

Can you give us "netstat -rn" in both cases? Mac OS X can create
transient routes and this might be affecting Nmap.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/