Nmap Development mailing list archives
Re: is this normal behavior?
From: Jacek Wielemborek <d33tah () gmail com>
Date: Sun, 23 Nov 2014 14:05:30 +0100
W dniu 23.11.2014 o 13:05, Mike . pisze:
i was simply trying to see if my router here at home supported various types of ICMP queries like most edge routers do. i ran the flags as the following nmap -vv -n -PE -sn 192.168.0.1 -packet-trace Starting Nmap 6.45 ( http://nmap.org ) at 2014-11-23 05:52 Central Standard Time Initiating ARP Ping Scan at 05:52 Scanning 192.168.0.1 [1 port] SENT (0.1460s) ARP who-has 192.168.0.1 tell 192.168.0.16 RCVD (0.1460s) ARP reply 192.168.0.1 is-at 50:39:55:44:F5:AE Completed ARP Ping Scan at 05:52, 0.07s elapsed (1 total hosts) Nmap scan report for 192.168.0.1 Host is up (0.00s latency). MAC Address: 50:39:55:44:F5:AE (Cisco Spvtg) Read data files from: C:\Program Files\Nmap Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds Raw packets sent: 1 (28B) | Rcvd: 1 (28B) i see no ICMP being built at all, is this normal? i noticed if i set the IP to something outside the local subnet the ICMPs are sent. newbie question here, why is this? should they still be sent even on a local subnet? i could just PING from console, why not the same with a ping scan from nmap? * also, why does it say "1 port" even when i specified NO PORT SCAN? (Scanning 192.168.0.1 [1 port]) thanks! m
Hello, According to Nmap's man page: Even if different ping types (such as -PE or -PS) are specified, Nmap uses ARP instead for any of the targets which are on the same LAN. If you absolutely don't want to do an ARP scan, specify --disable-arp-ping. Nmap did not actually do any port scanning and only activated the host discovery phase. Take a look at this:
Initiating ARP Ping Scan at 05:52 Scanning 192.168.0.1 [1 port] SENT (0.1460s) ARP who-has 192.168.0.1 tell 192.168.0.16 RCVD (0.1460s) ARP reply 192.168.0.1 is-at 50:39:55:44:F5:AE Completed ARP Ping Scan at 05:52, 0.07s elapsed (1 total hosts)
What is said there is that instead of sending an ICMP ECHO, Nmap sent an ARP request which is more reliable and received one response. The [1 port] here is a rather abstract term and in this context should be understood more than the expected number of probes we are planning to send per IP (actually, in scan_engine.cc, we even have an expression like log_write(LOG_STDOUT, "Scanning %s [%d port%s%s]\n", targetstr, USI.gstats->numprobes, ...)]. By the way, this log message is rather ambiguous. Cheers, Jacek Wielemborek
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- is this normal behavior? Mike . (Nov 23)
- Re: is this normal behavior? Jacek Wielemborek (Nov 23)