0

I scanned a subnet (16 hosts) while dumping the network traffic with wireshark. I did it 2 times and I noticed that in the traffic there is the normal SYN-SYN/ACK and SYN-RST from open/closed port, but also there are thousands of SYN-SYN/ACK (and ACK for closing connections) from a specific port (first scan was port 111, second scan was port 22).

Why is nmap opening all this connection to the same port on multiple hosts multiple time?

The lenght of the packet is always the same: 78.

Thanks,

Filippo

edit: the command I run was:

nmap -vv -P0 -sT -O -T5 -p 1-65535 -iL target.txt -oX target.xml

Possa
  • 185
  • 1
  • 9
  • You forgot to include the command you ran in your question – gparent Oct 09 '14 at 16:18
  • Try removing -O and doing the scan again. If it doesn't do these packets, I'll write it as an answer. – gparent Oct 09 '14 at 16:22
  • This was my guessing too. But is a guess. For OS identification does it need all these connections? (with little packet) – Possa Oct 09 '14 at 16:25
  • 1
    This is why I suggest you take off the flag to test it, so we can find out if it does. – gparent Oct 09 '14 at 16:29
  • Yes, I know. This was a production environment and I'll have some difficulties to do some test again. I'll try to do some test in an development enviroment (or home) ;) – Possa Oct 09 '14 at 16:30
  • Yeah, you could just do it in a VM. – gparent Oct 09 '14 at 17:10

1 Answers1

1

I answered this question on StackOverflow but the short answer is that it's a heartbeat Nmap uses to monitor network congestion.

Community
  • 1
bonsaiviking
  • 4,420
  • 17
  • 26