Nmap Development mailing list archives
RE: Nmap says Host down when actually host is up.
From: "Dario Ciccarone (dciccaro)" <dciccaro () cisco com>
Date: Thu, 25 Oct 2007 21:04:55 -0400
Hm. 10.10.209.18 *could be* the network address for subnet 10.10.10.209.108/30 - hosts being .109 and .110, broadcast .111 - still wouldn't explain why .2 is replying. Funny. Got the whole packet capture for this? The ICMP echo request should include the whole content of the payload section of the ICMP echo request. Can you add some payload and see what you get back ? see if it also changes the data ? I would theorized .2 has the wrong network mask for the subnet, the router for .108/30 is translating the ping to a subnet-level broadcast and .2 is replying - but using .30 implies a P2P link, not a broadcast medium w/ multiple hosts on it . . . Dario
-----Original Message----- From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org] On Behalf Of Fyodor Sent: Thursday, October 25, 2007 5:23 PM To: Swapnali Cc: nmap-dev () insecure org Subject: Re: Nmap says Host down when actually host is up. On Thu, Oct 25, 2007 at 09:08:05AM -0500, Swapnali wrote:Following is verbose output. Nmap says Host 10.10.209.108 seems to be a subnet broadcast address (returned 1 extra pings) D:\>nmap -sP -vv --packet-trace 10.10.209.108 Starting Nmap 4.20 ( http://insecure.org ) at 2007-10-2308:40 CentralDaylight Time SENT ( 0.2340s) ICMP 10.205.42.40 > 10.10.209.108 Echo request (type=8/code=0) ttl=56 id=10663 iplen=28 RCVD (0.2660s) ICMP 10.204.100.2 > 10.205.42.40 Echo reply(type=0/code=0)ttl=249 id=10663 iplen=28Are you sure this host is really up? If so, it is strange that it is replying to the ping packet from a different IP than the one the ping was sent to. I normally only see that with subnet-directed broadcast addresses, so Nmap does not treat the machine as being up unless it receives the response from the same address it sent to. It is also interesting that this target host apparently didn't reply to the port 80 request. Again, are you sure it is actually up? What OS is it running? Does anyone know if the RFC even allows a machine receiving an ICMP echo request to respond from a different IP address? I doubt that is allowed, but I'm not certain. Cheers, -F _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Nmap says Host down when actually host is up. Swapnali (Oct 22)
- Re: Nmap says Host down when actually host is up. DePriest, Jason R. (Oct 22)
- <Possible follow-ups>
- Re: Nmap says Host down when actually host is up. Swapnali (Oct 25)
- Re: Nmap says Host down when actually host is up. Fyodor (Oct 25)
- Re: Nmap says Host down when actually host is up. Kris Katterjohn (Oct 25)
- RE: Nmap says Host down when actually host is up. Dario Ciccarone (dciccaro) (Oct 25)
- Re: Nmap says Host down when actually host is up. kx (Oct 25)
- Re: Nmap says Host down when actually host is up. Brandon Enright (Oct 26)
- Re: Nmap says Host down when actually host is up. Fyodor (Oct 26)
- Re: Nmap says Host down when actually host is up. Swapnali (Oct 26)
- RE: Nmap says Host down when actually host is up. Dario Ciccarone (dciccaro) (Oct 26)
- RE: Nmap says Host down when actually host is up. Dario Ciccarone (dciccaro) (Oct 26)
- Re: Nmap says Host down when actually host is up. Fyodor (Oct 25)
- Re: Nmap says Host down when actually host is up. Kris Katterjohn (Oct 26)