Re: nmap ?

[Daniel Miller <bonsaiviking () gmail com>]

Michael,

Thanks for your interest in Nmap. I'll try to answer your questions as I
understand them.

Why does nmap show UDP port 68 as closed filtered when you scan a device
> that has all ports firewalled?

I'm not sure what you mean by "closed filtered," but you can use the
--reason option to show a short description of why Nmap decided on a
particular state for a port. I'd guess what you are seeing is
"open|filtered" which means no response was received. This can be because
the port is open and does not respond to the empty packet Nmap sent, or
because the host is firewalled and is dropping packets to that port.


> It does an ARP so it knows a device is there but then it treats not
> getting a response back for 68 different than all the others.
>
> A scan of a network with –sU –p 68 –Pn basically shows the same host #
> results as an ARP scan of –sn –n –Pn –PR.

Nmap does an ARP scan for host discovery any time it is possible, because
it is the fastest and most complete method of host discovery on
Ethernet-style networks. This overrides all other host discovery options,
even the -Pn option. If you *really* want to do something different you can
use the --disable-arp-ping option.


> Why does nmap show a list of all the ports closed if the range of port to
> be scanned is less than 25 for TCP and UDP?
>
> -p 50-74 shows the list, -p 50-75 does not.

To save space, Nmap sometimes chooses to "roll up" or condense certain
"uninteresting" port states into a single statement like "Not shown: 26
closed ports." The code for this decision is in portlist.cc in the
PortList::isIgnoredState function. Without the -v or -d options, 25 is the
cutoff number for a state being condensed like this.

Dan

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/