Capture network hops with nmap?

Discussion in 'Linux Networking' started by bubba, Jan 4, 2006.

  1. bubba

    bubba Guest

    Hey - quick question. After searching throught the internet and news
    groups, I could not locate an answer to my networking problem. Let me
    quickly explain:

    We have two independent networks that should not be able to communicate
    with hosts on the other subnet. However, I noticed today that this is
    indeed not the case anymore and I am trying to locate some sort of
    "network bridge" or source that is causing this to happen.

    In using nmap, I can verify that a host on the other subnet is


    nmap -sP

    Starting nmap V. 3.00 ( )
    Host ( appears to be up.

    However, I would like to track down the inadvertant host(s)/network
    devices that is allowing this to take place. I want to see the "network
    hops" so to speak. I am somewhat knew to nmap, but it seems to not
    display the "network hops" with the various flag options. Tcpdump
    doesn't show what I am looking for either. Traceroute times out of

    Any ideas? Any help would be appreciated.
    bubba, Jan 4, 2006
    1. Advertisements

  2. bubba

    Ken K Guest

    Try traceroute with the "-I" option and see if that takes care of it.
    Ken K, Jan 4, 2006
    1. Advertisements

  3. bubba

    Moe Trin Guest

    On 4 Jan 2006, in the Usenet newsgroup, in article
    Use tcpdump -en, and determine the source MAC address. If you then don't know
    what host is using what MAC address, sniff more, and notice the _other_
    traffic that is using that MAC address. (On Ethernet, packets are moved
    about using MAC [Media Access Control] or "hardware" addresses, not the
    IP address. In a 'tcpdump -e' output, the source hardware address is the
    second field, the destination is the third field. The same line lists the
    IP address of the _ultimate_ source and destination [which may not be the
    same as the "local" destination on this piece of wire] as the sixth and
    seventh fields.)
    Before running that, start tcpdump.
    Yes, that's not it's job.
    Maybe you don't know what you are looking for. The box you are using nmap
    _from_ has to know how to send packets "there". So, a first glance would be
    at the routing tables (/sbin/route -n). A second glance would be looking
    at the packets going out and coming back (tcpdump -en). What MAC address are
    they talking to? Pay attention to the ARP cache (/sbin/arp -a) as well.
    Depending on your distribution, the standard LBL 'traceroute' (not the
    re-written version by Olaf Kirch for Caldera, used by SuSE) has a -I
    option to use 'ping' rather than the default UDP. nmap seems to be able
    to ping the host. If you are not getting hop data, the intermediate steps
    may be dropping ICMP Type 11. If not seeing the normal end of a UDP trace,
    ICMP type 3 is being blocked somewhere. UDP may also be being blocked

    Knowing more about the layout (addresses and netmasks) would help. _DO_
    be careful about how you're munging addresses - 192.16.0.x has not been
    assigned by IANA to any RIR.

    Old guy
    Moe Trin, Jan 4, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.