From: Fyodor (fyodor@insecure.org)
Date: Tue Aug 10 2004 - 14:16:58 EDT
On Tue, Aug 10, 2004 at 12:04:19PM -0000, joshnunan123@yahoo.com wrote:
>
> If the port is open, nmap sends two udp packets with a length of zero -- no data is returned.
> If the port is filtered, nmap sends a single udp packet with a length of zero -- no data is returned.
You should try adding the --packet_trace option to Nmap instead of
sniffing at the same time with TCPdump. That will show you exactly
what packets Nmap is sending and receiving. In your case, I suspect
it will show that a firewall between you and the target is sending
ICMP destination unreachable messages in response to most of the UDP
probes. Your "tcpdup targethost port" misses these because the
firewall is sending the unreachables. And "tcpdump port 123" misses them
because they are ICMP. Again, try --packet_trace instead, maybe with
-p160-170 to avoid thousands of lines of output.
Cheers,
Fyodor
http://www.insecure.org/
PS: I have spent the last couple weeks rewriting the core Nmap port
scanning engine, including the UDP scanner, to be more efficient and
offer better parallelization over concurrent hosts and ports. I hope
to release the first alpha to the nmap-dev list in the next week or
so.
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:58 EDT