Re: filtering out just probe packets in debugging output

[Tom Sellers <nmap () fadedcode net>]

On 11/22/2015 4:49 AM, Mike . wrote:
> hello group
>
>
> this might be a dumb question. first off, using NMAP 7 w/ win 7. all i wanna do is look at the actual PROBE 
> DATA/LINES ONLY instead of the full debugging socket info in a packet trace as i am
> scannning doing a version check (so as to see what probe activity is being sent). an example is filtering out all 
> this except the "sending probe data" line  
>
>
> Service scan match (Probe SSLSessionReq matched with SSLSessionReq line 11927):
> 192.168.0.10:443 is ssl.  Version: |OpenSSL||SSLv3|
> NSOCK INFO [12.1850s] nsock_iod_delete(): nsock_iod_delete (IOD #2)
> NSOCK INFO [12.1850s] nsock_iod_new2(): nsock_iod_new (IOD #31)
> NSOCK INFO [12.1870s] nsock_connect_ssl(): SSL connection requested to 192.168.0
>
>
> i thought piping | find "Service scan" would just capture the 1 line but it didn't. prob missing something here so 
> obvious, but i'm an idiot. 
>
>
> ty/ Mike


Mike,

  The 'NSOCK INFO' text appears to be being sent out via a different output, STDERR, than the normal output, STDOUT. ( 
Daniel, David, and others please correct me ).

The easiest way to deal with this is to use the STDERR specific redirect, 2>, to throw away that data and then filter 
the rest.   For example:

Without redirecting STDERR:

nmap -sSV --version-trace -p80 192.168.175.5 | find "Service scan"

NSOCK INFO [2.3650s] nsock_iod_new2(): nsock_iod_new (IOD #1)
NSOCK INFO [2.3660s] nsock_connect_tcp(): TCP connection requested to 192.168.175.5:80 (IOD #1) EID 8
NSOCK INFO [2.3710s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [192.168.175.5:80]
NSOCK INFO [2.3820s] nsock_read(): Read request from IOD #1 [192.168.175.5:80] (timeout: 6000ms) EID 18
Service scan sending probe NULL to 192.168.175.5:80 (tcp)
NSOCK INFO [8.3830s] nsock_trace_handler_callback(): Callback: READ TIMEOUT for EID 18 [192.168.175.5:80]
NSOCK INFO [8.3840s] nsock_write(): Write request for 18 bytes to IOD #1 EID 27 [192.168.175.5:80]
Service scan sending probe GetRequest to 192.168.175.5:80 (tcp)
NSOCK INFO [8.3850s] nsock_read(): Read request from IOD #1 [192.168.175.5:80] (timeout: 4999ms) EID 34
NSOCK INFO [8.3870s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 27 [192.168.175.5:80]
NSOCK INFO [8.4000s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 34 [(null):-1] (463 bytes)
NSOCK INFO [8.4000s] nsock_iod_delete(): nsock_iod_delete (IOD #1)
Service scan match (Probe GetRequest matched with GetRequest line 9408): 192.168.175.5:80 is http.  Version: |GoAhead 
WebServer|||
NSOCK INFO [8.4050s] nsock_iod_new2(): nsock_iod_new (IOD #1)
NSOCK INFO [8.4100s] nsock_connect_tcp(): TCP connection requested to 192.168.175.5:80 (IOD #1) EID 8


Redirecting STDERR to 'nul':

nmap -sSV --version-trace -p80 192.168.175.5 2> nul | find "Service scan"

Service scan sending probe NULL to 192.168.175.5:80 (tcp)
Service scan sending probe GetRequest to 192.168.175.5:80 (tcp)
Service scan match (Probe GetRequest matched with GetRequest line 9408): 192.168.175.5:80 is http.  Version: |GoAhead 
WebServer|||



You can get similar results by redirecting the nmap STDOUT output to a file, and then filtering the file.

nmap -sSV --version-trace -p80 192.168.175.5 > temp.txt &&  find "Service scan" temp.txt


Good luck,

Tom

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/