LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Why does NMAP report â??Host seems downâ?ť despite host responding to ping? (http://www.linuxquestions.org/questions/linux-networking-3/why-does-nmap-report-%E2-host-seems-down%E2-%9D-despite-host-responding-to-ping-913671/)

android-eve 11-15-2011 10:20 AM

Why does NMAP report “Host seems down” despite host responding to ping?
 
I am trying to test a new CentOS 6 server on my tiny LAN. From another Linux (Ubuntu 10.04) host I type:

Code:

androideve@ubunbtu10:~$ nmap 192.168.1.3

Starting Nmap 5.00 ( http://nmap.org ) at 2011-11-15 09:31 EST
Note: Host seems down. If it is really up, but blocking our ping probes, try -PN
Nmap done: 1 IP address (0 hosts up) scanned in 0.04 seconds

This is despite the fact that if I ping it manually, there isn't any problem:

Code:

androideve@ubunbtu10:~$ ping 192.168.1.3
PING 192.168.1.3 (192.168.1.3) 56(84) bytes of data.
64 bytes from 192.168.1.3: icmp_seq=1 ttl=64 time=0.161 ms
64 bytes from 192.168.1.3: icmp_seq=2 ttl=64 time=0.138 ms
64 bytes from 192.168.1.3: icmp_seq=3 ttl=64 time=0.147 ms
64 bytes from 192.168.1.3: icmp_seq=4 ttl=64 time=0.131 ms

Why is this happening? How to fix this?

fukawi1 11-16-2011 02:58 AM

Did you try using -PN?

Quote:

HOST DISCOVERY:
-PN: Treat all hosts as online -- skip host discovery
Code:

man nmap

android-eve 11-16-2011 08:29 AM

Quote:

Originally Posted by fukawi1 (Post 4525317)
Did you try using -PN?

Thanks for this tip. I just tried it and NMAP responds that all "All 1000 scanned ports on 192.168.1.3 are filtered"
Code:

androideve@ubuntu10:~$ nmap -PN 192.168.1.3

Starting Nmap 5.00 ( http://nmap.org ) at 2011-11-16 09:20 EST
All 1000 scanned ports on 192.168.1.3 are filtered

Nmap done: 1 IP address (1 host up) scanned in 6.89 seconds

I understand that this has to do with the firewall on the remote (scanned) host, but the main reason I am trying to use NMAP is to see which ports on the remote host are open and whether it is at all ping-able.

Well, I can ping it using 'ping' but not using NMAP. I find this very confusing.

Furthermore, the iptables firewall on the remote host has SSH checked as a Trusted Service ("accessible from all hosts and networks"). Why didn't NMAP detect this?

UPDATE: It turns out that when I last scanned the CentOS 6 remote host, it was in sleep mode. When I woke it up and tried NMAP again, I received:

Code:

android-eve@ubuntu10:~$ nmap -PN 192.168.1.3

Starting Nmap 5.00 ( http://nmap.org ) at 2011-11-16 11:11 EST
Interesting ports on 192.168.1.3:
Not shown: 999 filtered ports
PORT  STATE  SERVICE
22/tcp closed ssh

Nmap done: 1 IP address (1 host up) scanned in 4.97 seconds

So, at least I see some consistency between the firewall setting and what NMAP reports.

I am still confused by NMAP not reporting a perfectly ping-able host. If I were to rely on NMAP for verifying that my host is 100% stealthed, it would have mislead me.

What am I missing about the correct usage of NMAP?

lleb 11-16-2011 11:45 AM

that tells you the port 22 is closed and not open. it all depends on how the firewall is configured on the other end. you can also use nmap -P0 to get past the "ping issue"

for just testing a specific port nmap -p<port number here> IP will be much faster then just nmap -PN or -PO

fukawi1 11-17-2011 12:53 AM

In my experience, and I am not a nmap guru by any means.
Filtered ports mean the firewall is rejecting packets

Closed ports, mean the firewall is dropping packets.

android-eve 11-21-2011 02:35 PM

Quote:

Originally Posted by fukawi1 (Post 4526287)
Filtered ports mean the firewall is rejecting packets

Closed ports, mean the firewall is dropping packets.

It's actually the opposite. :)


All times are GMT -5. The time now is 04:43 AM.