Gabriel M. Beddingfield wrote: > I've been running nmap scans on a couple of my debian systems, and I'm > finding that one unpriviliged UDP port is always showing open, but the port > changes with every scan. Anybody know what's going on? Here's a few tests > (edited for brevity): > > debian:~# nmap -sU -p 40000-65535 192.168.1.100 > PORT STATE SERVICE > 52979/udp open unknown > debian:~# nmap -sU -p 40000-65535 192.168.1.100 > All 25536 scanned ports on 192.168.1.100 are: closed > debian:~# nmap -sU -p 40000-65535 192.168.1.100 > PORT STATE SERVICE > 41252/udp open unknown
UDP works different than TCP. It is a stateless protocol that does not need to confirm in any way that a package has been received. An UDP port can be considered open as long as a package sent to it does not result in an icmp-port-unreachable answer. So nmap can assume that the tested port is open and that some program at the other side received the test package, unless it gets an icmp- port-unreachable answer. And sometimes packages just get lost on their way, so it is quite possible that one of the 25k answer packages will not find its way to the scanning host. That is no cause for alarm. > lsof doesn't show any such port open. The -sV switch doesn't give any extra > info for these high ports. "netstat -lup" will show you all processes that listen on an UDP socket. Regards, Dennis -- Send personal mail to [EMAIL PROTECTED] only. Off-list mails to [EMAIL PROTECTED] will not reach me. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
