Validation of NMAP’s Network Behavior using Wireshark

Abstract

NMAP is used to actively scan networks using different ping techniques. There is not much information available on how NMAP works besides its website. Although the program states how it works, there is little validation of its functionality. Wireshark, a network protocol analyzer, was used to validate these features in a test system environment: ping scans, OS detection, including port scanning and version detection. Among NMAP’s weaknesses, we find it relies on an OS Database that should be updated regularly to be able to detect new operating systems and that its scans produce a large number of packets, which might cause detection of the scan in a properly protected network environment. NMAP’s OS Database can also be used to simulate operating systems for network scans, such as in a honeypot, using a program called honeyd. Any scan in a foreign network environment should be corroborated with other tools, passively if possible. Key Terms - NMAP, Ping Scan, Remote OS Detection, Wireshark.