nmap SYN scan packets capture with wireshark

adityaj123 · 02-12-2008, 10:17 AM

Hi

I am trying to capture the packets sent by nmap for a TCP SYN scan. Using Wireshark running on my machine i wanted to find out the exact packets sent. But all i can see are some address resolutions being done. The command i have used is

namp -PS -p80 -v 192.168.1.1--packet-trace

The cropped output

Code:

Initiating SYN Stealth Scan at 21:39
Scanning 192.168.1.1 [1 port]
SENT (0.5620s) TCP 192.168.1.102:63810 > 192.168.1.1:80 S ttl=47 id=24392 iplen=44  seq=1773369909 win=4096 <mss 1460>
SENT (0.6720s) TCP 192.168.1.102:63811 > 192.168.1.1:80 S ttl=45 id=31039 iplen=44  seq=1773304372 win=2048 <mss 1460>
Completed SYN Stealth Scan at 21:39, 0.23s elapsed (1 total ports)

Now these TCP packets i cannot find in the wireshack capture window. Below is the captured o/p.

Code:

No.     Time        Source                Destination           Protocol Info
   1 0.000000    Netgear_2d:87:52      Broadcast             ARP      Who has 192.168.1.1?  Tell 192.168.1.102

No.     Time        Source                Destination           Protocol Info
   2 0.001486    Cisco-Li_42:2e:68     Netgear_2d:87:52      ARP      192.168.1.1 is at 00:18:f8:42:2e:68

No.     Time        Source                Destination           Protocol Info
      3 0.011158    192.168.1.102         10.200.1.11           DNS      Standard query PTR 1.1.168.192.in-addr.arpa

Cant find the SYN packets. Have i missed anything? or a whole lot

Regards
Aditya

OlRoy · 02-12-2008, 01:13 PM

Did nmap say the port was open? Try adding -P0 instead of -PS. I had a problem of wireshark not seeing a SYN scan of my network, and it turns out nmap was doing an ARP scan before bothering to do the SYN scan. Since most hosts were down and didn't get passed the ARP scan, nmap never did the SYN port scan.

adityaj123 · 02-12-2008, 10:05 PM

Quote:

Originally Posted by OlRoy

Did nmap say the port was open?

well it said filtered.

Quote:

Originally Posted by OlRoy

Try adding -P0 instead of -PS. I had a problem of wireshark not seeing a SYN scan of my network, and it turns out nmap was doing an ARP scan before bothering to do the SYN scan. Since most hosts were down and didn't get passed the ARP scan, nmap never did the SYN port scan.

I think this makes a lot of sense. I ran the scan again and it seems to point to the same issue. But unfortunately a -P0 scan too seems to generate host of dns queries for the target. But could not capture anything SYN-like. Also tried the -sS option but in vain.

Also i am using quite a generic filter in wireshark

Code:

ip.addr==192.168.1.1 || ip.addr==192.168.1.102

where 192.168.1.102 is the source and 192.168.1.1 the target.

Anyways will keep trying. Thanks for your quick response and suggestions.

Regards

Aditya

anomie · 02-12-2008, 11:48 PM

I just tested capturing only TCP SYN packets (from a nmap scan) with tcpdump and it works fine.

# tcpdump -s 0 'tcp[tcpflags] & (tcp-syn) != 0'

I don't use wireshark / don't have it installed. Perhaps your filter needs to be further refined.

--------------------

edit: Alternatively (and probably more clearly), that can be written as:

# tcpdump 'tcp[tcpflags] == tcp-syn'

If you're able to capture the packets with tcpdump, then you know you just need to continue to tweak wireshark until you get it right.

adityaj123 · 02-13-2008, 01:43 AM

Quote:

Originally Posted by anomie

I just tested capturing only TCP SYN packets (from a nmap scan) with tcpdump and it works fine.

Can you post the nmap command. So i make sure i am using the correct options.

Quote:

Originally Posted by anomie

edit: Alternatively (and probably more clearly), that can be written as:

# tcpdump 'tcp[tcpflags] == tcp-syn'

If you're able to capture the packets with tcpdump, then you know you just need to continue to tweak wireshark until you get it right.

I tried this too. But to no vail.

Let me also tell about my setup. Maybe i have missed something. I have wireless router and a host. I am trying to write a program to find if a host is alive (i know i am reinventing the wheel, should use nmap, but wanted to learn more about packet level details). So i decided to use the TCP SYN approach of nmap. Send a SYN and depending on the response i know if the machine is up. So for now i am just trying it on my router to see the kind of packet nmap sends for a SYN.

Thanks

Aditya

anomie · 02-13-2008, 10:14 AM

Sure:
> nmap -P0 some.host.local -p 22

The tcp port specified is totally arbitrary. It doesn't matter if it's open or filtered, either (tcpdump should capture the TCP SYN packet regardless).

icmp echo requests are a good way to tell if a host is up, too.

(Just don't filter that out.)