0

I am trying to check the port status of a external IP using NMAP, I am getting different result on different interface to same destination (destination is a public IP).

When NMAP tried from the internal interface 10.204.59.166

localhost2:/$ /usr/bin/nmap --privileged  -sS -p 443 -S 10.204.59.166 --max-retries 1 --max-rtt-timeout 1s 54.183.135.54 --packet-trace
WARNING: If -S is being used to fake your source address, you may also have to use -e <interface> and -Pn .  If you are using it to specify your real source address, you can ignore this warning.
Starting Nmap 7.93 ( https://nmap.org ) at 2023-09-05 17:49 IST
SENT (0.0286s) ICMP [10.204.59.166 > 54.183.135.54 Echo request (type=8/code=0) id=46788 seq=0] IP [ttl=45 id=40353 iplen=28 ]
SENT (0.0287s) TCP 10.204.59.166:62492 > 54.183.135.54:443 S ttl=40 id=53957 iplen=44  seq=1627088662 win=1024 <mss 1460>
SENT (0.0287s) TCP 10.204.59.166:62492 > 54.183.135.54:80 A ttl=38 id=22755 iplen=40  seq=0 win=1024
SENT (0.0288s) ICMP [10.204.59.166 > 54.183.135.54 Timestamp request (type=13/code=0) id=6421 seq=0 orig=0 recv=0 trans=0] IP [ttl=39 id=11720 iplen=40 ]
RCVD (0.2490s) TCP 54.183.135.54:443 > 10.204.59.166:62492 SA ttl=48 id=0 iplen=44  seq=3955485356 win=26883 <mss 8961>
NSOCK INFO [0.2630s] nsock_iod_new2(): nsock_iod_new (IOD #1)
NSOCK INFO [0.2630s] nsock_connect_udp(): UDP connection requested to 10.209.115.226:53 (IOD #1) EID 8
NSOCK INFO [0.2630s] mksock_bind_addr(): Binding to 10.204.59.166:0 (IOD #1)
NSOCK INFO [0.2630s] nsock_read(): Read request from IOD #1 [10.209.115.226:53] (timeout: -1ms) EID 18
NSOCK INFO [0.2630s] nsock_write(): Write request for 44 bytes to IOD #1 EID 27 [10.209.115.226:53]
NSOCK INFO [0.2630s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [10.209.115.226:53]
NSOCK INFO [0.2630s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 27 [10.209.115.226:53]
NSOCK INFO [0.5130s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 18 [10.209.115.226:53] (107 bytes)
NSOCK INFO [0.5130s] nsock_read(): Read request from IOD #1 [10.209.115.226:53] (timeout: -1ms) EID 34
NSOCK INFO [0.5130s] nsock_iod_delete(): nsock_iod_delete (IOD #1)
NSOCK INFO [0.5130s] nevent_delete(): nevent_delete on event #34 (type READ)
SENT (0.5220s) TCP 10.204.59.166:62748 > 54.183.135.54:443 S ttl=55 id=57784 iplen=44  seq=136761536 win=1024 <mss 1460>
RCVD (0.7367s) TCP 54.183.135.54:443 > 10.204.59.166:62748 SA ttl=45 id=0 iplen=44  seq=1954894394 win=26883 <mss 8961>
Nmap scan report for ec2-54-183-135-54.us-west-1.compute.amazonaws.com (54.183.135.54)
Host is up (0.22s latency).

PORT    STATE SERVICE
443/tcp open  https

tcpdump capture with filter - "host 54.183.135.54"

12:21:47.511780 00:50:56:85:e3:9d > 00:1c:73:00:09:99, ethertype IPv4 (0x0800), length 42: 10.204.59.166 > 54.183.135.54: ICMP echo request, id 22234, seq 0, length 8
12:21:47.511869 00:50:56:85:e3:9d > 00:1c:73:00:09:99, ethertype IPv4 (0x0800), length 58: 10.204.59.166.36506 > 54.183.135.54.443: Flags [S], seq 3373344886, win 1024, options [mss 1460], length 0
12:21:47.511946 00:50:56:85:e3:9d > 00:1c:73:00:09:99, ethertype IPv4 (0x0800), length 54: 10.204.59.166.36506 > 54.183.135.54.80: Flags [.], ack 3373344886, win 1024, length 0
12:21:47.512012 00:50:56:85:e3:9d > 00:1c:73:00:09:99, ethertype IPv4 (0x0800), length 54: 10.204.59.166 > 54.183.135.54: ICMP time stamp query id 4157 seq 0, length 20
12:21:47.727825 fc:bd:67:06:9f:41 > 00:50:56:85:e3:9d, ethertype IPv4 (0x0800), length 60: 54.183.135.54.443 > 10.204.59.166.36506: Flags [S.], seq 4009090313, ack 3373344887, win 26883, options [mss 8961], length 0
12:21:47.727851 00:50:56:85:e3:9d > 00:1c:73:00:09:99, ethertype IPv4 (0x0800), length 54: 10.204.59.166.36506 > 54.183.135.54.443: Flags [R], seq 3373344887, win 0, length 0
12:21:47.759717 00:50:56:85:e3:9d > 00:1c:73:00:09:99, ethertype IPv4 (0x0800), length 58: 10.204.59.166.36762 > 54.183.135.54.443: Flags [S], seq 3346467974, win 1024, options [mss 1460], length 0
12:21:47.978268 fc:bd:67:06:9f:41 > 00:50:56:85:e3:9d, ethertype IPv4 (0x0800), length 60: 54.183.135.54.443 > 10.204.59.166.36762: Flags [S.], seq 4286776120, ack 3346467975, win 26883, options [mss 8961], length 0
12:21:47.978294 00:50:56:85:e3:9d > 00:1c:73:00:09:99, ethertype IPv4 (0x0800), length 54: 10.204.59.166.36762 > 54.183.135.54.443: Flags [R], seq 3346467975, win 0, length 0

When NMAP scan is tried from the management interface 10.204.59.170

localhost2:/$ /usr/bin/nmap --privileged  -sS -p 443 -S 10.204.59.170 --max-retries 1 --max-rtt-timeout 1s 54.183.135.54 --packet-trace
WARNING: If -S is being used to fake your source address, you may also have to use -e <interface> and -Pn .  If you are using it to specify your real source address, you can ignore this warning.
Starting Nmap 7.93 ( https://nmap.org ) at 2023-09-05 17:53 IST
SENT (0.0308s) ICMP [10.204.59.170 > 54.183.135.54 Echo request (type=8/code=0) id=26671 seq=0] IP [ttl=53 id=29966 iplen=28 ]
SENT (0.0308s) TCP 10.204.59.170:58574 > 54.183.135.54:443 S ttl=56 id=9669 iplen=44  seq=2253745352 win=1024 <mss 1460>
SENT (0.0308s) TCP 10.204.59.170:58574 > 54.183.135.54:80 A ttl=44 id=45365 iplen=40  seq=0 win=1024
SENT (0.0309s) ICMP [10.204.59.170 > 54.183.135.54 Timestamp request (type=13/code=0) id=24931 seq=0 orig=0 recv=0 trans=0] IP [ttl=43 id=62589 iplen=40 ]
SENT (2.0316s) ICMP [10.204.59.170 > 54.183.135.54 Timestamp request (type=13/code=0) id=4857 seq=0 orig=0 recv=0 trans=0] IP [ttl=57 id=50613 iplen=40 ]
SENT (2.0317s) TCP 10.204.59.170:58576 > 54.183.135.54:80 A ttl=40 id=40561 iplen=40  seq=0 win=1024
SENT (2.0317s) TCP 10.204.59.170:58576 > 54.183.135.54:443 S ttl=47 id=29832 iplen=44  seq=2253876426 win=1024 <mss 1460>
SENT (2.0317s) ICMP [10.204.59.170 > 54.183.135.54 Echo request (type=8/code=0) id=59168 seq=0] IP [ttl=53 id=15727 iplen=28 ]
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.05 seconds

tcpdump capture with filter - "host 54.183.135.54"

12:23:18.958528 00:50:56:85:be:54 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 54.183.135.54 tell 10.204.59.170, length 46
12:23:18.957777 00:50:56:85:be:54 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 54.183.135.54 tell 10.204.59.170, length 28
12:23:20.016655 00:50:56:85:be:54 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 54.183.135.54 tell 10.204.59.170, length 46
12:23:20.016376 00:50:56:85:be:54 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 54.183.135.54 tell 10.204.59.170, length 28
12:23:21.040925 00:50:56:85:be:54 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 54.183.135.54 tell 10.204.59.170, length 46
12:23:21.040372 00:50:56:85:be:54 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 54.183.135.54 tell 10.204.59.170, length 28

Queries for above results

  1. Both the interfaces are in the same network and same VLAN so why the different results?
  2. With the internal interface, ICMP packet is sent to a remote IP (that is expected), but why is ARP sent when the management interface is used?
  3. For remote IPs (that are outside network) NMAP should do ICMP request, correct?
  4. Why there is a difference between NMAP capture and tcpdump capture?
Improve this question

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .