web analytics

Understanding Nmap Packet Trace

Hello, everyone. Today we’ll see how to capture network packets using nmap. And we’ll use Wireshark to compare its results with nmap. In this article, we mainly focus on what types of network traffic are captured by nmap while we use various nmap ping scans.

A ping scan in Nmap is done to check if the target host is alive or not. As we know, ping by default sends the ICMP echo request and gets an ICMP echo reply if the system is alive. Ping scan by default sends an ARP packet and gets a response to check if the host is up.

NOTE: Nmap scans change their behavior according to the network they are scanning.

  • Scanning local network with nmap where nmap sends an ARP packet with every scan.
  • If an external network is to be scanned; nmap sends the following request packets:

– ICMP echo request
– ICMP timestamp request
– TCP SYN to port 443
– TCP ACK to port 80

Technique involves packet-tracing via nmap.
The nmap module is an interface with nmap’s internal functions and data structures. The API offers target host information such as port states and version detection results. It also provides an interface to the Nsock library for effective network I/O.
Nsock is a parallel sockets library used by NSE, service detection (service_scan.cc) and DNS
(nmap_dns.cc). It acts as an abstraction layer above socket operations and is optimised for handling
multiple sockets. “mspool” is defined in “nsock_internal.h” and contains, among other things, a struct event_lists, which is a structure that keeps information on all pending events.
Event creation
Events are represented with the msevent struct (nsock_internal.h) which contains (among other things).

  • The callback handler -> nsock_ev_handler (nsock_pool, nsock_event, void *)
  • A pointer to a msiod struct -> msiod *iod, which holds all the I/O descriptor (IOD) related
  • information.
  • Struct filespace iobuf (a buffer usually 1024 bytes which holds the write/read bytes)
  • The nse_type (nsock.h)
  • The nse_status (nsock.h)
  • A unique id -> nsock_event_id (EID)

Events are created with the the following special functions :


  • nsock_connect_tcp
  • nsock_connect_udp
  • nsock_connect_ssl


  • nsock_readlines
  • nsock_readbytes
  • nsock_read


  • nsock_write
  • nsock_printf


  • nsock_timer_create

advisor pick´S post

More Latest Published Posts