Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am trying to capture the packets sent by nmap for a TCP SYN scan. Using Wireshark running on my machine i wanted to find out the exact packets sent. But all i can see are some address resolutions being done. The command i have used is
namp -PS -p80 -v 192.168.1.1--packet-trace
The cropped output
Code:
Initiating SYN Stealth Scan at 21:39
Scanning 192.168.1.1 [1 port]
SENT (0.5620s) TCP 192.168.1.102:63810 > 192.168.1.1:80 S ttl=47 id=24392 iplen=44 seq=1773369909 win=4096 <mss 1460>
SENT (0.6720s) TCP 192.168.1.102:63811 > 192.168.1.1:80 S ttl=45 id=31039 iplen=44 seq=1773304372 win=2048 <mss 1460>
Completed SYN Stealth Scan at 21:39, 0.23s elapsed (1 total ports)
Now these TCP packets i cannot find in the wireshack capture window. Below is the captured o/p.
Code:
No. Time Source Destination Protocol Info
1 0.000000 Netgear_2d:87:52 Broadcast ARP Who has 192.168.1.1? Tell 192.168.1.102
No. Time Source Destination Protocol Info
2 0.001486 Cisco-Li_42:2e:68 Netgear_2d:87:52 ARP 192.168.1.1 is at 00:18:f8:42:2e:68
No. Time Source Destination Protocol Info
3 0.011158 192.168.1.102 10.200.1.11 DNS Standard query PTR 1.1.168.192.in-addr.arpa
Cant find the SYN packets. Have i missed anything? or a whole lot
Did nmap say the port was open? Try adding -P0 instead of -PS. I had a problem of wireshark not seeing a SYN scan of my network, and it turns out nmap was doing an ARP scan before bothering to do the SYN scan. Since most hosts were down and didn't get passed the ARP scan, nmap never did the SYN port scan.
Try adding -P0 instead of -PS. I had a problem of wireshark not seeing a SYN scan of my network, and it turns out nmap was doing an ARP scan before bothering to do the SYN scan. Since most hosts were down and didn't get passed the ARP scan, nmap never did the SYN port scan.
I think this makes a lot of sense. I ran the scan again and it seems to point to the same issue. But unfortunately a -P0 scan too seems to generate host of dns queries for the target. But could not capture anything SYN-like. Also tried the -sS option but in vain.
Also i am using quite a generic filter in wireshark
Code:
ip.addr==192.168.1.1 || ip.addr==192.168.1.102
where 192.168.1.102 is the source and 192.168.1.1 the target.
Anyways will keep trying. Thanks for your quick response and suggestions.
I just tested capturing only TCP SYN packets (from a nmap scan) with tcpdump and it works fine.
Can you post the nmap command. So i make sure i am using the correct options.
Quote:
Originally Posted by anomie
edit: Alternatively (and probably more clearly), that can be written as:
# tcpdump 'tcp[tcpflags] == tcp-syn'
If you're able to capture the packets with tcpdump, then you know you just need to continue to tweak wireshark until you get it right.
I tried this too. But to no vail.
Let me also tell about my setup. Maybe i have missed something. I have wireless router and a host. I am trying to write a program to find if a host is alive (i know i am reinventing the wheel, should use nmap, but wanted to learn more about packet level details). So i decided to use the TCP SYN approach of nmap. Send a SYN and depending on the response i know if the machine is up. So for now i am just trying it on my router to see the kind of packet nmap sends for a SYN.
The tcp port specified is totally arbitrary. It doesn't matter if it's open or filtered, either (tcpdump should capture the TCP SYN packet regardless).
icmp echo requests are a good way to tell if a host is up, too. (Just don't filter that out.)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.