I am trying to check the port status of a external IP using NMAP, I am getting different result on different interface to same destination (destination is a public IP).
When NMAP tried from the internal interface 10.204.59.166
localhost2:/$ /usr/bin/nmap --privileged -sS -p 443 -S 10.204.59.166 --max-retries 1 --max-rtt-timeout 1s 54.183.135.54 --packet-trace
WARNING: If -S is being used to fake your source address, you may also have to use -e <interface> and -Pn . If you are using it to specify your real source address, you can ignore this warning.
Starting Nmap 7.93 ( https://nmap.org ) at 2023-09-05 17:49 IST
SENT (0.0286s) ICMP [10.204.59.166 > 54.183.135.54 Echo request (type=8/code=0) id=46788 seq=0] IP [ttl=45 id=40353 iplen=28 ]
SENT (0.0287s) TCP 10.204.59.166:62492 > 54.183.135.54:443 S ttl=40 id=53957 iplen=44 seq=1627088662 win=1024 <mss 1460>
SENT (0.0287s) TCP 10.204.59.166:62492 > 54.183.135.54:80 A ttl=38 id=22755 iplen=40 seq=0 win=1024
SENT (0.0288s) ICMP [10.204.59.166 > 54.183.135.54 Timestamp request (type=13/code=0) id=6421 seq=0 orig=0 recv=0 trans=0] IP [ttl=39 id=11720 iplen=40 ]
RCVD (0.2490s) TCP 54.183.135.54:443 > 10.204.59.166:62492 SA ttl=48 id=0 iplen=44 seq=3955485356 win=26883 <mss 8961>
NSOCK INFO [0.2630s] nsock_iod_new2(): nsock_iod_new (IOD #1)
NSOCK INFO [0.2630s] nsock_connect_udp(): UDP connection requested to 10.209.115.226:53 (IOD #1) EID 8
NSOCK INFO [0.2630s] mksock_bind_addr(): Binding to 10.204.59.166:0 (IOD #1)
NSOCK INFO [0.2630s] nsock_read(): Read request from IOD #1 [10.209.115.226:53] (timeout: -1ms) EID 18
NSOCK INFO [0.2630s] nsock_write(): Write request for 44 bytes to IOD #1 EID 27 [10.209.115.226:53]
NSOCK INFO [0.2630s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [10.209.115.226:53]
NSOCK INFO [0.2630s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 27 [10.209.115.226:53]
NSOCK INFO [0.5130s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 18 [10.209.115.226:53] (107 bytes)
NSOCK INFO [0.5130s] nsock_read(): Read request from IOD #1 [10.209.115.226:53] (timeout: -1ms) EID 34
NSOCK INFO [0.5130s] nsock_iod_delete(): nsock_iod_delete (IOD #1)
NSOCK INFO [0.5130s] nevent_delete(): nevent_delete on event #34 (type READ)
SENT (0.5220s) TCP 10.204.59.166:62748 > 54.183.135.54:443 S ttl=55 id=57784 iplen=44 seq=136761536 win=1024 <mss 1460>
RCVD (0.7367s) TCP 54.183.135.54:443 > 10.204.59.166:62748 SA ttl=45 id=0 iplen=44 seq=1954894394 win=26883 <mss 8961>
Nmap scan report for ec2-54-183-135-54.us-west-1.compute.amazonaws.com (54.183.135.54)
Host is up (0.22s latency).
PORT STATE SERVICE
443/tcp open https
tcpdump capture with filter - "host 54.183.135.54"
12:21:47.511780 00:50:56:85:e3:9d > 00:1c:73:00:09:99, ethertype IPv4 (0x0800), length 42: 10.204.59.166 > 54.183.135.54: ICMP echo request, id 22234, seq 0, length 8
12:21:47.511869 00:50:56:85:e3:9d > 00:1c:73:00:09:99, ethertype IPv4 (0x0800), length 58: 10.204.59.166.36506 > 54.183.135.54.443: Flags [S], seq 3373344886, win 1024, options [mss 1460], length 0
12:21:47.511946 00:50:56:85:e3:9d > 00:1c:73:00:09:99, ethertype IPv4 (0x0800), length 54: 10.204.59.166.36506 > 54.183.135.54.80: Flags [.], ack 3373344886, win 1024, length 0
12:21:47.512012 00:50:56:85:e3:9d > 00:1c:73:00:09:99, ethertype IPv4 (0x0800), length 54: 10.204.59.166 > 54.183.135.54: ICMP time stamp query id 4157 seq 0, length 20
12:21:47.727825 fc:bd:67:06:9f:41 > 00:50:56:85:e3:9d, ethertype IPv4 (0x0800), length 60: 54.183.135.54.443 > 10.204.59.166.36506: Flags [S.], seq 4009090313, ack 3373344887, win 26883, options [mss 8961], length 0
12:21:47.727851 00:50:56:85:e3:9d > 00:1c:73:00:09:99, ethertype IPv4 (0x0800), length 54: 10.204.59.166.36506 > 54.183.135.54.443: Flags [R], seq 3373344887, win 0, length 0
12:21:47.759717 00:50:56:85:e3:9d > 00:1c:73:00:09:99, ethertype IPv4 (0x0800), length 58: 10.204.59.166.36762 > 54.183.135.54.443: Flags [S], seq 3346467974, win 1024, options [mss 1460], length 0
12:21:47.978268 fc:bd:67:06:9f:41 > 00:50:56:85:e3:9d, ethertype IPv4 (0x0800), length 60: 54.183.135.54.443 > 10.204.59.166.36762: Flags [S.], seq 4286776120, ack 3346467975, win 26883, options [mss 8961], length 0
12:21:47.978294 00:50:56:85:e3:9d > 00:1c:73:00:09:99, ethertype IPv4 (0x0800), length 54: 10.204.59.166.36762 > 54.183.135.54.443: Flags [R], seq 3346467975, win 0, length 0
When NMAP scan is tried from the management interface 10.204.59.170
localhost2:/$ /usr/bin/nmap --privileged -sS -p 443 -S 10.204.59.170 --max-retries 1 --max-rtt-timeout 1s 54.183.135.54 --packet-trace
WARNING: If -S is being used to fake your source address, you may also have to use -e <interface> and -Pn . If you are using it to specify your real source address, you can ignore this warning.
Starting Nmap 7.93 ( https://nmap.org ) at 2023-09-05 17:53 IST
SENT (0.0308s) ICMP [10.204.59.170 > 54.183.135.54 Echo request (type=8/code=0) id=26671 seq=0] IP [ttl=53 id=29966 iplen=28 ]
SENT (0.0308s) TCP 10.204.59.170:58574 > 54.183.135.54:443 S ttl=56 id=9669 iplen=44 seq=2253745352 win=1024 <mss 1460>
SENT (0.0308s) TCP 10.204.59.170:58574 > 54.183.135.54:80 A ttl=44 id=45365 iplen=40 seq=0 win=1024
SENT (0.0309s) ICMP [10.204.59.170 > 54.183.135.54 Timestamp request (type=13/code=0) id=24931 seq=0 orig=0 recv=0 trans=0] IP [ttl=43 id=62589 iplen=40 ]
SENT (2.0316s) ICMP [10.204.59.170 > 54.183.135.54 Timestamp request (type=13/code=0) id=4857 seq=0 orig=0 recv=0 trans=0] IP [ttl=57 id=50613 iplen=40 ]
SENT (2.0317s) TCP 10.204.59.170:58576 > 54.183.135.54:80 A ttl=40 id=40561 iplen=40 seq=0 win=1024
SENT (2.0317s) TCP 10.204.59.170:58576 > 54.183.135.54:443 S ttl=47 id=29832 iplen=44 seq=2253876426 win=1024 <mss 1460>
SENT (2.0317s) ICMP [10.204.59.170 > 54.183.135.54 Echo request (type=8/code=0) id=59168 seq=0] IP [ttl=53 id=15727 iplen=28 ]
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.05 seconds
tcpdump capture with filter - "host 54.183.135.54"
12:23:18.958528 00:50:56:85:be:54 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 54.183.135.54 tell 10.204.59.170, length 46
12:23:18.957777 00:50:56:85:be:54 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 54.183.135.54 tell 10.204.59.170, length 28
12:23:20.016655 00:50:56:85:be:54 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 54.183.135.54 tell 10.204.59.170, length 46
12:23:20.016376 00:50:56:85:be:54 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 54.183.135.54 tell 10.204.59.170, length 28
12:23:21.040925 00:50:56:85:be:54 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 54.183.135.54 tell 10.204.59.170, length 46
12:23:21.040372 00:50:56:85:be:54 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 54.183.135.54 tell 10.204.59.170, length 28
Queries for above results
- Both the interfaces are in the same network and same VLAN so why the different results?
- With the internal interface, ICMP packet is sent to a remote IP (that is expected), but why is ARP sent when the management interface is used?
- For remote IPs (that are outside network) NMAP should do ICMP request, correct?
- Why there is a difference between NMAP capture and tcpdump capture?