Nmap Development mailing list archives

Re: Why does nmap send multiple probes to the same port?

From: Richard van den Berg <richard.vandenberg () ins com>
Date: Thu, 12 Jan 2006 08:43:49 +0000

Casey Williams wrote:

In my case, when I try "nmap -sS -P0..." and I sniff the traffic that gets generated from that scan, I've noticed more 
than one probe gets sent to the same port on some of the hosts under certain  circumstances.  I shouldn't see these 
"extra" probes in the packet capture if NMap didn't actually send them should I?

If your packet sniffer sees them on the wire, they were sent for sure. 
That's the reason you are using a packet sniffer, and not relying on 
application logs. :-) I can confirm that nmap sends out retries under 
certain conditions. This is documented in the man page. I looked it up 
yesterday when I saw it happening. An easy way to reproduce this is to 
set the --host_timeout really low. Nmap will send retries until the 
first probe is responded to. You can tune the number of retries using 
--max_retries. See http://www.insecure.org/nmap/man/man-performance.html||

Sincerely,

Richard van den Berg



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev

Current thread:

Why does nmap send multiple probes to the same port? chok (Jan 11)
- Re: Why does nmap send multiple probes to the same port? Andreas Ericsson (Jan 11)
  - Re: Why does nmap send multiple probes to the same port? Casey Williams (Jan 11)
    - Re: Why does nmap send multiple probes to the same port? Andreas Ericsson (Jan 11)
    - Re: Why does nmap send multiple probes to the same port? Casey Williams (Jan 11)
    - Re: Why does nmap send multiple probes to the same port? Richard van den Berg (Jan 12)
    - Re: Why does nmap send multiple probes to the same port? Andreas Ericsson (Jan 12)
- <Possible follow-ups>
- RE: Why does nmap send multiple probes to the same port? chok (Jan 12)