LinuxQuestions.org - How does nmap determine a port is tcpwrapped?

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - How does nmap determine a port is tcpwrapped? (https://www.linuxquestions.org/questions/linux-security-4/how-does-nmap-determine-a-port-is-tcpwrapped-773983/)

gsmith411

12-07-2009 08:22 AM

How does nmap determine a port is tcpwrapped?

I am scanning a system and nmap reports about 3/4 of the ports are tcpwrapped. Does anyone know how does nmap determines this? receiving no response to a SYN packet should indicate a firewall probably blocking, thus giving a "Filtered" response. Receiving a RST packet back should indicate a closed port, so what indicates a tcpwrapped port?

estabroo

12-07-2009 08:34 AM

a tcpwrapped port will go through the full handshake before closing since the wrapper happens after a connect, whereas a closed port gets an immediate reset from the kernel

anomie

12-07-2009 01:06 PM

@gsmith: the previous poster's explanation sounds reasonable.

I would also recommend that you observe the packets yourself with tcpdump(8) while performing a scan. Look at the packets for an open port and then compare those with the packets for a "tcpwrapped" port.

All times are GMT -5. The time now is 02:52 PM.