From my man page:
-sT (TCP connect scan)
TCP connect scan is the default TCP scan type when SYN scan is not an option. This is the case when a user does not have raw
packet privileges or is scanning IPv6 networks. Instead of writing raw packets as most other scan types do, Nmap asks the
underlying operating system to establish a connection with the target machine and port by issuing the connect() system call.
This is the same high-level system call that web browsers, P2P clients, and most other network-enabled applications use to
establish a connection. It is part of a programming interface known as the Berkeley Sockets API. Rather than read raw packet
responses off the wire, Nmap uses this API to obtain status information on each connection attempt.
When SYN scan is available, it is usually a better choice. Nmap has less control over the high level connect() call than with
raw packets, making it less efficient. The system call completes connections to open target ports rather than performing the
half-open reset that SYN scan does. Not only does this take longer and require more packets to obtain the same information,
but target machines are more likely to log the connection. A decent IDS will catch either, but most machines have no such
alarm system. Many services on your average UNIX system will add a note to syslog, and sometimes a cryptic error message,
when Nmap connects and then closes the connection without sending data. Truly pathetic services crash when this happens,
though that is uncommon. An administrator who sees a bunch of connection attempts in her logs from a single system should
know that she has been connect scanned.
-sR (RPC scan)
This method works in conjunction with the various port scan methods of Nmap. It takes all the TCP/UDP ports found open and
floods them with SunRPC program NULL commands in an attempt to determine whether they are RPC ports, and if so, what program
and version number they serve up. Thus you can effectively obtain the same info as rpcinfo -p even if the target's portmapper
is behind a firewall (or protected by TCP wrappers). Decoys do not currently work with RPC scan. This is automatically
enabled as part of version scan (-sV) if you request that. As version detection includes this and is much more comprehensive,
-sR is rarely needed.
A good technique when viewing man pages it to use vi editing constructs to search for options. For example, /-sR will search for instances of "-sR" in the man page, just like searching for text in the document. I have to confess, I cheated on producing that command. There's a graphical program called nmapfe that makes selecting options a snap. The same options can be used at the command line. I often do this because I logged in as a regular user and I can't do what I need to except as root. So I just use the commands produced by nmapfe in a console window where I'm logged in as root.
By the way, Debian/Ubuntu might use info pages for some of this. I really don't know. That might be why you can't find man pages on nmap.
|