nmap sees itself doing an UDP scan on the local host

[Ward Vandewege <ward.vandewege () gmail com>]

Hi there,

I'm seeing something odd doing a udp scan of local IP addresses (can be
127.0.0.1 <http://127.0.0.1>, or any locally defined IP).

Try this, for instance:

nmap 127.0.0.1 <http://127.0.0.1> -sV -sU -p 1-65535

If you're on Linux (as I am - Debian Sarge), the kernel throttling will not
kick in since you're scanning a local IP. This run gives as results (e.g.):

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-11-09 03:21 CET
Interesting ports on io (127.0.0.1 <http://127.0.0.1>):
(The 65532 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE VERSION
53/udp open|filtered domain
514/udp open|filtered syslog
49268/udp open unknown

Nmap finished: 1 IP address (1 host up) scanned in 62.615 seconds

The syslog and dns ports are normal. What's odd is the high 'open' port.
Running nmap multiple times always returns 53 and 514, and each time a
different (high) third port.

So I ran a tcpdump while doing the above scan:

tcpdump -i lo -n udp

And this is what I saw:

...
03:21:58.249825 IP 127.0.0.1.49268 > 127.0.0.1.34723: UDP, length: 0
03:21:58.249978 IP 127.0.0.1.49268 > 127.0.0.1.14722: UDP, length: 0
03:21:58.250101 IP 127.0.0.1.49268 > 127.0.0.1.43886: UDP, length: 0
03:21:58.250236 IP 127.0.0.1.49268 > 127.0.0.1.16476: UDP, length: 0
...

As you can see, nmap sees itself in the udp scan!

Now; I may be missing something. I googled, read man pages, etc, and could
not find any references to this behaviour. Is there a way to stop nmap from
seeing itself doing a local UDP scan? That would be very useful, as it
currently messes up my automated nmap scans that check for new ports...

I'm running nmap from the stock Sarge nmap package.

Thanks,
Ward.


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev