NMAP giving inconsistent results

[crazychicken]

Just for fun I was playing with NMAP. I have a webserver running on port 8080, so I thought I should be able to see it with nmap. If I scan ports 7000-9000, It shows it as "open". However, if I scan ports 1-9000, it doesn't show up! I've tried several smaller ranges (ie 8000-9000, 8070-8090) and they seem to show my 8080 as open, but with any big range (1-9000 , or 1-65000) it doesn't show up!

Does this make any sense?

Thanks,

David

 

[acaeti]

I believe nmap can sometimes open too many connections for your machine to handle. For instance, if you scan large netblocks, say >4000 IP addresses, it will choke. I haven't been able to dig up any evidence of this on a ports basis. What happens if you scan 8000-50000, and run another webserver on 40100?

 

[crazychicken]

so i scanned 8000-50000 and it still found 8080 open, so looks like you're right, after a while it kind of "chokes". However, you were talking about >4000 IP addresses, and I am talking about only 1 IP address, just > 4000 ports - same thing??

Is there a different port scanner that doesn't have this problem?

Thanks,

David

 

[acaeti]

I guess it could be more an issue with opening so many connections at once, so it wouldn't matter if it was hosts or ports. The thing I had read about scanning >4000 IPs was specific to [ar]pinging netblocks to see if they responded, not full scans. What is the exact command you are running? Have you looked at the man page and investigated using the timing and performance parameters?

 

[n0cmonkey]

Version of nmap?
OS it's running on?
Options you're using?

 

[crazychicken]

nmap version: 4.20
OS: fedora 7
options:
nmap -vv -A -P0 -r -p starting_port-ending_port myIP

let me know if you need anything else

david

 

[n0cmonkey]

I'm not able to reproduce this on Debian. Maybe recompile nmap. You could also check the server logs to see if nmap finds it and forgets about it, or record the traffic and check it that way.