Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: is this normal behavior?

From: Jacek Wielemborek <d33tah () gmail com>
Date: Sun, 23 Nov 2014 14:05:30 +0100
W dniu 23.11.2014 o 13:05, Mike . pisze:

i was simply trying to see if my router here at home supported various types of ICMP queries like most edge routers 
do. i ran the flags as the following

nmap -vv -n -PE -sn  192.168.0.1  -packet-trace

Starting Nmap 6.45 ( http://nmap.org ) at 2014-11-23 05:52 Central Standard Time

Initiating ARP Ping Scan at 05:52
Scanning 192.168.0.1 [1 port]
SENT (0.1460s) ARP who-has 192.168.0.1 tell 192.168.0.16
RCVD (0.1460s) ARP reply 192.168.0.1 is-at 50:39:55:44:F5:AE
Completed ARP Ping Scan at 05:52, 0.07s elapsed (1 total hosts)
Nmap scan report for 192.168.0.1
Host is up (0.00s latency).
MAC Address: 50:39:55:44:F5:AE (Cisco Spvtg)
Read data files from: C:\Program Files\Nmap
Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds
           Raw packets sent: 1 (28B) | Rcvd: 1 (28B)

i see no ICMP being built at all, is this normal? i noticed if i set the IP to something outside the local subnet the 
ICMPs are sent. newbie question here, why is this? should they still be sent even on a local subnet? i could just 
PING from console, why not the same with a ping scan from nmap?

* also, why does it say "1 port" even when i specified NO PORT SCAN?  (Scanning 192.168.0.1 [1 port])

thanks!
m


Hello,

According to Nmap's man page:

Even if different ping types (such as -PE or -PS) are specified, Nmap
uses ARP instead for any of the targets which are on the same LAN. If
you absolutely don't want to do an ARP scan, specify --disable-arp-ping.

Nmap did not actually do any port scanning and only activated the host
discovery phase. Take a look at this:


Initiating ARP Ping Scan at 05:52
Scanning 192.168.0.1 [1 port]
SENT (0.1460s) ARP who-has 192.168.0.1 tell 192.168.0.16
RCVD (0.1460s) ARP reply 192.168.0.1 is-at 50:39:55:44:F5:AE
Completed ARP Ping Scan at 05:52, 0.07s elapsed (1 total hosts)


What is said there is that instead of sending an ICMP ECHO, Nmap sent an
ARP request which is more reliable and received one response. The [1
port] here is a rather abstract term and in this context should be
understood more than the expected number of probes we are planning to
send per IP (actually, in scan_engine.cc, we even have an expression
like log_write(LOG_STDOUT, "Scanning %s [%d port%s%s]\n", targetstr,
USI.gstats->numprobes, ...)].

By the way, this log message is rather ambiguous.

Cheers,
Jacek Wielemborek

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: