nmap host discovery and data-length option

Question

I am doing host discovery only (-sn) option, trying to determine active hosts that are up and running.

My first command was:

nmap -sn -PS21,22,25,53,80,443,3389,8000,8080,42000 -PA80,443,8080,42000 -PU53 xxx.xxx.xxx.xxx/27

I am scanning public IP's and the above command produces a result stating that 18 hosts are up.

However, when I run the above command with --data-length "option" (either 32 or 56), it produces a result with only 8 hosts up.

I was expecting to see more hosts, if anything... but not less. (The data-length option adds a bytes of data to every packet to simulate the ping tool and it may help evade firewall rules set to drop 0 byte packets).

I am reading Fydors book however I am having trouble understanding the behavior above.

Any ideas?

Thanks

score 1 · Accepted Answer · answered May 10 '17 at 14:19

--data-length adds data to every packet. Your TCP discovery options (-PS, -PA) are sending packets that do not usually contain data. In this case, these packets are more likely to be dropped or ignored since they are unusual. The case where --data-length is useful is for the -PE (ICMP Echo Request) discovery option. ICMP Echo Request datagrams are usually sent with some data payload, but Nmap defaults to empty probes, so IDS products like Snort will sometimes block or alert on these probes.

Thank you. That makes sense. – user146316 May 10 '17 at 15:43 — user146316, May 10 '17 at 15:43

nmap host discovery and data-length option

1 Answers1