CODEWITHSUNDEEP
wiresharkpacketpacket-sniffersnmap
bones
bones

Reputation: 33

Why am I not seeing the nmap scan results in the Wireshark log?

I used the command nmap -sT localhost to scan the ports on my computer and used Wireshark to view the log file of the packets exchanged between my computer and other network devices during the time that the scan was running. However, I'm not seeing any information related to the nmap scan in the Wireshark log.

For example:
The nmap scan showed that port 993 on localhost was open, but the log file does not show any interaction with port 993 on my machine.

Can someone please explain why this is?
Also, I'm new to using nmap and Wireshark, so if there's any info that you think will help me better understand the port scanning process, please share.

Upvotes: 0

Views: 1632

Answers (2)

theodoreh
theodoreh

Reputation: 58

The nmap scan showed that port 993 on localhost was open, but the log file does >not show any interaction with port 993 on my machine.

Can someone please explain why this is?

My guess is that this has to do with the interface on which you're monitoring. In Wireshark-->Options you can select a capture interface.

  • If you're scanning localhost and only want to see local traffic (such as the results of your nmap localhost port scan) then you should select the loopback interface in Wireshark.
  • If you only want to see external traffic, you can select another Ethernet interface. (This is probably what's currently selected.)
  • If you want to see both local and external traffic (which I think is what you're asking for), you can select any for the choice of interface in Wireshark.

Also, I'm new to using nmap and Wireshark, so if there's any info that you think >will help me better understand the port scanning process, please share.

The method of port scanning you are using (-sT) is called a TCP Connect Scan. Here's nmap's write-up of it: https://nmap.org/book/scan-methods-connect-scan.html

Upvotes: 1

PythonicOreo
PythonicOreo

Reputation: 440

It seems as if you are trying to find only ACK segments. Maybe try a filter in Wireshark such as tcp.flags.ack==1. Or, you could be broader and not just do -sT. -sT is very specific, and may not get picked up. -sS is practically the same thing; its SYN. But it seems as if you want to just find ports open. You could try nmap -A localhost which is much better. But if you only want ACK, filtering in Wireshark would be the way to go it seems to me. You could also try tcp.flags.ack==1 && tcp.flags.syn==0 to not get SYN packets too, only ACK. I hope this helps you.

Upvotes: 1

Related Questions