Must have network-diag-tool: nmap

As Oracle DBA, as unix admin and even more as application server or webserver administrator we need to check connectivity between hosts. There are a zillion ways to do so. Some ways do not tell you everything, or do not tell you what you expect.

Nonsense! I got ping!
True in some way. False mostly….ping is a tool which uses ICMP, instead of TCP (which is used by sqlnet, http and https to name a few). This means ping is a tool to test ICMP connectivity, using another protocol than you probably want to test and use. If ping returns, you know two things:
– The host you’ve pinged is reachable.
– The host you’ve pinged accepts and returns ICMP traffic.
So…in my opinion, ping tells me little.

The advanced way is using telnet!
Telnet *is* a way to do some advanced stuff…it allows you to talk directly to ports which use non-encrypted protocols, like SMTP, HTTP, NNTP. It does NOT tell you if you can reach a port, and what is the status of that port. Most of the time, that is what you want to know (at least, in my experience).

Alright, so what does nmap do, then?
Nmap allows you to determine the status of the port of a remote system. That status is the first step in diagnosing connectivity and connectivity problems. Connectivity to remote ports can have 3 statuses:
1. Filtered: If the port you try to reach is firewalled, or non-reachable at all (in both cases packets do not return!) the status is Filtered.
2. Closed: If the port you try to reach is reachable, but there is no process listening (so you can not communicate), the status is Closed. Yes, this means that if there’s no process listening, there are packets send back and forth (!!)
3. Open: If the port you try to reach is reachable, and there is a process listening, the status is Open

Doing a port probe is done the following way:
nmap -PN -p portnumber hostname or ip address

For example:
vxlt090101:~ fritshoogland$ nmap -PN -p 80 http://www.google.nl
.
Starting Nmap 4.85BETA8 ( http://nmap.org ) at 2010-01-30 10:20 CET
Warning: Hostname http://www.google.nl resolves to 6 IPs. Using 209.85.227.104.
Interesting ports on wy-in-f104.1e100.net (209.85.227.104):
PORT STATE SERVICE
80/tcp open http
.
Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds

There are several things to see here; the options I used:

-PN: do not ping (‘ping no’); by default nmap uses the ICMP protocol to do discovery.
-p 80: scan port 80; I want to know the status of port 80 on http://www.google.nl

The answer:

-‘Warning: Hostname http://www.google.nl resolves to 6 IPs.': google uses a technique to spread the load over several servers: having multiple IP addresses for the DNS name ‘www.google.nl’
-‘Using 209.85.227.104.': nmap picked out 209.85.227.104 out of the list of IP addresses.
-‘Interesting ports on wy-in-f104.1e100.net (209.85.227.104)': the reverse lookup of 209.85.227.104 is ‘wy-in-f104.1e100.net’ (remember we entered the search with ‘www.google.nl’? You can do a reverse lookup yourself using ‘dig -x 209.85.227.104′)
-’80/tcp open http': port 80 is reachable and responds.

So…we know now for a fact that we can reach http://www.google.nl at port 80 from the machine with which we used nmap!

Redo the same with a port which is not open, for example, port 81:
vxlt090101:~ fritshoogland$ nmap -PN -p 81 http://www.google.nl
.
Starting Nmap 4.85BETA8 ( http://nmap.org ) at 2010-01-30 16:41 CET
Warning: Hostname http://www.google.nl resolves to 6 IPs. Using 209.85.227.147.
Interesting ports on wy-in-f147.1e100.net (209.85.227.147):
PORT STATE SERVICE
81/tcp filtered hosts2-ns
.
Nmap done: 1 IP address (1 host up) scanned in 2.11 seconds

This tells us that port 81 is not responding to any traffic. This can be either be a firewall dropping packets, or the host being non-existent. This is how it looks like if you are waiting at a firewall administrator to open a port.

Another thing you can do with nmap, is scanning for open ports, instead of specifying one or more:
vxlt090101:~ fritshoogland$ nmap -PN http://www.google.nl
.
Starting Nmap 4.85BETA8 ( http://nmap.org ) at 2010-01-30 16:45 CET
Warning: Hostname http://www.google.nl resolves to 6 IPs. Using 209.85.227.147.
Interesting ports on wy-in-f147.1e100.net (209.85.227.147):
Not shown: 997 filtered ports
PORT STATE SERVICE
80/tcp open http
113/tcp closed auth
443/tcp open https
.
Nmap done: 1 IP address (1 host up) scanned in 4.72 seconds

That’s more or less what I would expect, except for port 113. If you look careful, you’ll see that all non listed ports are filtered (thus firewalled/non responding), two of ports open (non firewalled and usable), and even one port is closed (not firewalled, but there’s no process listening on that port).

Let’s set an additional step: what kind of webserver does google use? The ‘-sV’ switch is the ‘service type version’ switch:
vxlt090101:~ fritshoogland$ nmap -PN -sV -p 80 http://www.google.nl
.
Starting Nmap 4.85BETA8 ( http://nmap.org ) at 2010-01-30 16:56 CET
Warning: Hostname http://www.google.nl resolves to 6 IPs. Using 209.85.229.106.
Interesting ports on ww-in-f106.1e100.net (209.85.229.106):
PORT STATE SERVICE VERSION
80/tcp open http Google httpd 2.0 (GFE)
Service Info: OS: Linux
.
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.31 seconds

Google uses a webserver which advertises itself as ‘Google httpd 2.0 (GFE)’. Another noteworthy thing is listed: nmap has determined the operating system is linux! ‘Service Info: OS: Linux’.

Lets investigate a server with Oracle on it:
vxlt090101:~ fritshoogland$ nmap -p 1521 -sV -n 192.168.0.1
.
Starting Nmap 4.85BETA8 ( http://nmap.org ) at 2010-02-01 11:24 CET
Interesting ports on 192.168.0.1:
PORT STATE SERVICE VERSION
1521/tcp open oracle-tns Oracle TNS Listener 10.2.0.4.0 (for 64-bit Windows)
.
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.16 seconds

I did use the the ‘service type version’ (-sV) switch again, and the ‘do not do DNS lookups’ switch: ‘-n’. I can see it is the listener which is listening at port 1521, but also the exact version, and the operating system the listener is compiled for.

The message of this blog is to show how nmap can help you to determine connectivity to certain ports in a reliable way, and how you can diagnose a little, to assist system administrators and/or network administrators. Nmap is capable of much, much more (read the man-page!)

Nmap is available and for all modern operating systems; the main linux distro’s have it included in their software repositories (redhat, oracle, debian, ubuntu), it’s not installed by default, for other popular operating system you can download it from nmap’s homepage: http://nmap.org/, there even is a windows version (!).

This post is edited at 10:28 on 2 february 2010 (GMT+2). A program acting as a proxy made the portscan of http://www.google.nl show up more ports open than should be.

About these ads
3 comments

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 2,137 other followers

%d bloggers like this: