Ask Your Question
0

Does nmap mtu scan really send crafted mtu size?

asked 2018-04-10 07:55:59 +0000

Sabrina gravatar image

updated 2018-04-10 07:57:32 +0000

I've been reading about nmap techniques here as part of my network security syllabus ...

I've performed 2 scans ... one to port 1337 which is closed while the other port 4444 is open.

When I try nmap mtu scan and capture the packet with Wireshark, I don't see the mtu size (32) that I set in nmap.

[email protected]:~$ sudo nmap --mtu 32 192.168.10.12 -p 1337

Nmap scan report for 192.168.10.12
Host is up (0.0023s latency).
PORT     STATE  SERVICE
1337/tcp closed waste
MAC Address: AA:AA:AA:AA:AA:12 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 13.13 seconds
[email protected]:~$

The only value that I see is Total Length: 44

  1. Any idea why I did not see mtu size 32 in Wireshark?

  2. Is this the right place to check mtu size in Wireshark (IPv4 > Total Length)?

image description

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted
1

answered 2018-04-10 08:14:40 +0000

Jasper gravatar image

The MTU is not a value you can see in a packet - if you want to tell which MTU existed on client or server side you can check if there is a MSS value option in the TCP header (maximum segment size, meaning, maximum TCP payload). Add 40 (20 for TCP header bytes, 20 for IP header bytes) and you have the MTU value. You can see in your SYN packet that the MSS is 1460, so the MTU is 1500.

My guess is that nmap ignores your MTU value because it's invalid. MTUs must be 68 bytes or larger (usually 576 is the minimum you can set on an IPv4 interface, and 1280 for IPv6). 32 is so small, you can't even build a valid Ethernet packet with it (minimum size 64 bytes).

edit flag offensive delete link more

Comments

Thanks @Jasper. I've been looking at my SYN packet and did not see MSS value (1460) ... May I know where did you see it.

Also, I've been generating another packet whereby MTU size is set to 576, however I still don't see it anywhere on Wireshark.

Sabrina gravatar imageSabrina ( 2018-04-10 15:08:25 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-04-10 07:55:59 +0000

Seen: 51 times

Last updated: Apr 10