[Wylug-help] Strange UDP port activity
Jason Lander
jason at env.leeds.ac.uk
Wed Feb 2 22:45:22 GMT 2005
Ciaran.
> next, I tried killing off the rpc services (portmap, famd), and running
> nmap again;
>
> PORT STATE SERVICE VERSION
> 68/udp open|filtered dhcpclient
> 54147/udp open unknown
>
> Needless to say I have no idea whats going on, and have unplugged the
> machine from the network. Any further insights you might be able to
> provide would be greatly appreciated. This is very much a learning
> experience for me, but mostly I hate mysteries.
This is an artifact of the way nmap works for UDP.
UDP is stateless. It is also not usual to send a UDP packet without
getting anything back. This is how a network syslog server receives
information.
NMAPs UDP detection code sends UDP packets to every port. By the look of
it, all these use the same UDP source port. For those ports where nothing
is listening, it should receive an ICMP port-unreachable message in
return.
If there is no port-unreachable message and no response, it assumes the
port is filtered and/or open.
It is also confused by UDP packets sent from the machine to itself as
there will be one UDP packet has the same source and destination port.
It marks this port as open.
- Jason
More information about the Wylug-help
mailing list