Nmap Development mailing list archives
Why does nmap send multiple probes to the same port?
From: chok () chokmah org
Date: Wed, 11 Jan 2006 17:19:35 -0500
I am having trouble with nmap sending multiple probes to the same port to the same target. Because of this, a scan of all ports takes many days instead of an hour or two. I am using nmap version 3.81 on debian 3.1 (sarge). Here is what the scan looks like: # nmap -sT -P0 -p 1-65535 --packet_trace 192.0.2.1 Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-01-06 09:47 CST CONN (0.3610s) TCP localhost > 192.0.2.1:21 => Operation now in progress CONN (0.3610s) TCP localhost > 192.0.2.1:636 => Operation now in progress CONN (0.3610s) TCP localhost > 192.0.2.1:25 => Operation now in progress CONN (0.3610s) TCP localhost > 192.0.2.1:1723 => Operation now in progress CONN (0.3610s) TCP localhost > 192.0.2.1:389 => Operation now in progress CONN (0.3610s) TCP localhost > 192.0.2.1:53 => Operation now in progress CONN (0.3610s) TCP localhost > 192.0.2.1:256 => Operation now in progress CONN (0.3610s) TCP localhost > 192.0.2.1:443 => Operation now in progress CONN (0.3610s) TCP localhost > 192.0.2.1:3389 => Operation now in progress CONN (0.3610s) TCP localhost > 192.0.2.1:22 => Operation now in progress CONN (1.5020s) TCP localhost > 192.0.2.1:22 => Operation now in progress CONN (1.5020s) TCP localhost > 192.0.2.1:3389 => Operation now in progress CONN (1.5020s) TCP localhost > 192.0.2.1:443 => Operation now in progress CONN (1.5020s) TCP localhost > 192.0.2.1:256 => Operation now in progress CONN (1.5020s) TCP localhost > 192.0.2.1:53 => Operation now in progress CONN (1.5020s) TCP localhost > 192.0.2.1:389 => Operation now in progress CONN (1.5020s) TCP localhost > 192.0.2.1:1723 => Operation now in progress CONN (1.5020s) TCP localhost > 192.0.2.1:636 => Operation now in progress CONN (1.5020s) TCP localhost > 192.0.2.1:113 => Operation now in progress CONN (1.5020s) TCP localhost > 192.0.2.1:23 => Operation now in progress CONN (1.5020s) TCP localhost > 192.0.2.1:554 => Operation now in progress CONN (1.5020s) TCP localhost > 192.0.2.1:80 => Operation now in progress CONN (1.6020s) TCP localhost > 192.0.2.1:23 => Operation now in progress CONN (1.6020s) TCP localhost > 192.0.2.1:554 => Operation now in progress CONN (2.7020s) TCP localhost > 192.0.2.1:554 => Operation now in progress CONN (2.7020s) TCP localhost > 192.0.2.1:23 => Operation now in progress CONN (3.8120s) TCP localhost > 192.0.2.1:23 => Operation now in progress CONN (3.8430s) TCP localhost > 192.0.2.1:113 => Operation now in progress CONN (3.9520s) TCP localhost > 192.0.2.1:113 => Operation now in progress CONN (4.0510s) TCP localhost > 192.0.2.1:113 => Operation now in progress CONN (5.1620s) TCP localhost > 192.0.2.1:113 => Operation now in progress CONN (5.1920s) TCP localhost > 192.0.2.1:636 => Operation now in progress CONN (5.2920s) TCP localhost > 192.0.2.1:636 => Operation now in progress CONN (5.3920s) TCP localhost > 192.0.2.1:636 => Operation now in progress CONN (6.5020s) TCP localhost > 192.0.2.1:636 => Operation now in progress CONN (6.5320s) TCP localhost > 192.0.2.1:1723 => Operation now in progress CONN (6.6320s) TCP localhost > 192.0.2.1:1723 => Operation now in progress CONN (6.7320s) TCP localhost > 192.0.2.1:1723 => Operation now in progress CONN (6.8320s) TCP localhost > 192.0.2.1:1723 => Operation now in progress The IP address has been changed for privacy. I have seen as many as seven probes per port after running for a while. This scan is running over the Internet and the box running nmap has a public IP and is directly connected to the Internet without any kind of filtering on my end. The target end goes through a PIX and ports 25 and 80 are PATted through to a server on the inside and packets to all other ports should be dropped. I have looked at the packets on the wire and for every port except for 25 and 80 there is no response. I suppose this is a feature and nmap is doing this on purpose, but I don't understand why. Does anyone know why it is sending multiple probes like this and how I can get it to just send a single probe for each port? chok _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- Why does nmap send multiple probes to the same port? chok (Jan 11)
- Re: Why does nmap send multiple probes to the same port? Andreas Ericsson (Jan 11)
- Re: Why does nmap send multiple probes to the same port? Casey Williams (Jan 11)
- Re: Why does nmap send multiple probes to the same port? Andreas Ericsson (Jan 11)
- Re: Why does nmap send multiple probes to the same port? Casey Williams (Jan 11)
- Re: Why does nmap send multiple probes to the same port? Richard van den Berg (Jan 12)
- Re: Why does nmap send multiple probes to the same port? Andreas Ericsson (Jan 12)
- Re: Why does nmap send multiple probes to the same port? Casey Williams (Jan 11)
- Re: Why does nmap send multiple probes to the same port? Andreas Ericsson (Jan 11)
- <Possible follow-ups>
- RE: Why does nmap send multiple probes to the same port? chok (Jan 12)