Nmap Development mailing list archives
Re: filtering out just probe packets in debugging output
From: Tom Sellers <nmap () fadedcode net>
Date: Sun, 22 Nov 2015 07:54:53 -0600
On 11/22/2015 4:49 AM, Mike . wrote:
hello group this might be a dumb question. first off, using NMAP 7 w/ win 7. all i wanna do is look at the actual PROBE DATA/LINES ONLY instead of the full debugging socket info in a packet trace as i am scannning doing a version check (so as to see what probe activity is being sent). an example is filtering out all this except the "sending probe data" line Service scan match (Probe SSLSessionReq matched with SSLSessionReq line 11927): 192.168.0.10:443 is ssl. Version: |OpenSSL||SSLv3| NSOCK INFO [12.1850s] nsock_iod_delete(): nsock_iod_delete (IOD #2) NSOCK INFO [12.1850s] nsock_iod_new2(): nsock_iod_new (IOD #31) NSOCK INFO [12.1870s] nsock_connect_ssl(): SSL connection requested to 192.168.0 i thought piping | find "Service scan" would just capture the 1 line but it didn't. prob missing something here so obvious, but i'm an idiot. ty/ Mike
Mike, The 'NSOCK INFO' text appears to be being sent out via a different output, STDERR, than the normal output, STDOUT. ( Daniel, David, and others please correct me ). The easiest way to deal with this is to use the STDERR specific redirect, 2>, to throw away that data and then filter the rest. For example: Without redirecting STDERR: nmap -sSV --version-trace -p80 192.168.175.5 | find "Service scan" NSOCK INFO [2.3650s] nsock_iod_new2(): nsock_iod_new (IOD #1) NSOCK INFO [2.3660s] nsock_connect_tcp(): TCP connection requested to 192.168.175.5:80 (IOD #1) EID 8 NSOCK INFO [2.3710s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [192.168.175.5:80] NSOCK INFO [2.3820s] nsock_read(): Read request from IOD #1 [192.168.175.5:80] (timeout: 6000ms) EID 18 Service scan sending probe NULL to 192.168.175.5:80 (tcp) NSOCK INFO [8.3830s] nsock_trace_handler_callback(): Callback: READ TIMEOUT for EID 18 [192.168.175.5:80] NSOCK INFO [8.3840s] nsock_write(): Write request for 18 bytes to IOD #1 EID 27 [192.168.175.5:80] Service scan sending probe GetRequest to 192.168.175.5:80 (tcp) NSOCK INFO [8.3850s] nsock_read(): Read request from IOD #1 [192.168.175.5:80] (timeout: 4999ms) EID 34 NSOCK INFO [8.3870s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 27 [192.168.175.5:80] NSOCK INFO [8.4000s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 34 [(null):-1] (463 bytes) NSOCK INFO [8.4000s] nsock_iod_delete(): nsock_iod_delete (IOD #1) Service scan match (Probe GetRequest matched with GetRequest line 9408): 192.168.175.5:80 is http. Version: |GoAhead WebServer||| NSOCK INFO [8.4050s] nsock_iod_new2(): nsock_iod_new (IOD #1) NSOCK INFO [8.4100s] nsock_connect_tcp(): TCP connection requested to 192.168.175.5:80 (IOD #1) EID 8 Redirecting STDERR to 'nul': nmap -sSV --version-trace -p80 192.168.175.5 2> nul | find "Service scan" Service scan sending probe NULL to 192.168.175.5:80 (tcp) Service scan sending probe GetRequest to 192.168.175.5:80 (tcp) Service scan match (Probe GetRequest matched with GetRequest line 9408): 192.168.175.5:80 is http. Version: |GoAhead WebServer||| You can get similar results by redirecting the nmap STDOUT output to a file, and then filtering the file. nmap -sSV --version-trace -p80 192.168.175.5 > temp.txt && find "Service scan" temp.txt Good luck, Tom _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- filtering out just probe packets in debugging output Mike . (Nov 22)
- Re: filtering out just probe packets in debugging output Tom Sellers (Nov 22)