Nmap Development mailing list archives

Re: NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ?

From: Martin Mačok <martin.macok () underground cz>
Date: Fri, 7 Jan 2005 18:18:27 +0100

On Fri, Jan 07, 2005 at 02:55:07PM +0100, Sébastien CONTRERAS wrote:

Someone as done the test on a Linux box running v3.75 ?


My nmap-3.78 -sT seems to be working well on Linux 2.4.

I also noticed that when I'm using the -sT option, NMAP displays the 
results only 10 seconds after that the last packet corresponding to the 
scan has been received (no filters are set in my Ethereal :) ).


This would indicate that nmap's connect() didn't receive the RST
packet (nor any other response) because 10s actually equals the
timeout it uses when it gets no response.

Are you sure you have no personal firewall involved? (OK, you told you
tested it on XP SP1 too, so probably not...) Could you get netcat for
Windows and check "nc -vvv destination 136" if it tells "connection
refused" immediately or "time out" too?

C:\Program Files\nmap-3.75>nmap -sT -p 135-136 
192.168.254.10 --packet_trace -vvv -dd

CONN (0.1500s) TCP localhost > 192.168.254.10:136 => Unknown error
CONN (0.1600s) TCP localhost > 192.168.254.10:135 => Unknown error
CONN (1.2610s) TCP localhost > 192.168.254.10:136 => Unknown error


This suggests that connect() returned -1 (ie. error, at least
on Unix) and WSAGetLastError() returned "Unknown error" as an
explanation(*). 

Somehow later on, the descriptor for 135/tcp connect probe has changed
when doing select() on it and
getsockopt(..,SOL_SOCKET,SO_ERROR,&optval,...) filled in &optval with
NULL which indicates success (=> port open). The descriptor for
136/tcp probe has not changed and nmap gave up after 10 seconds.

(I'm sorry, I can't help you much with Windows, it's not my OS of
choice and I don't know much about it :-( )

(*) But you should get "Strange error on from connect (Unknown error)"
    message on stderr in this case too! I can't explain why you didn't
    :-/ ... is something wrong with stderr on Windows? Or should we
    fflush(stderr) in nmap too?

Martin Mačok
ICT Security Consultant

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org

Current thread:

NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ? Sébastien CONTRERAS (Jan 07)
- Re: NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ? Adam Jacob Muller (Jan 07)
  - Re: NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ? Martin Mačok (Jan 07)
    - Re: NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ? Richard Moore (Jan 07)
    - Re: NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ? Martin Mačok (Jan 07)
- Re: NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ? Martin Mačok (Jan 07)
  - Re: NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ? Sébastien CONTRERAS (Jan 07)
    - Re: NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ? Martin Mačok (Jan 07)
    - Re: NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ? Sébastien CONTRERAS (Jan 10)
- <Possible follow-ups>
- Re: NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ? Sébastien CONTRERAS (Jan 11)