Router's responses to port scans

Recently I was trying to figure out what the various port states reported by Nmap really mean. This is what's actually going on:

  • If a packet is intercepted by a router's access-list, the router sends back an ICMP administratively prohibited packet. This is reported as filtered port by Nmap (and probably as stealth port by some other scanners).
  • If you do a TCP SYN scan of a router and the scanned port is not active, the router sends back TCP RST packet. This is reported as closed port.
  • If you perform a UDP scan of a router, the router sends back ICMP port unreachable message if the UDP application is not active. This is reported by Nmap as filtered port (even though in most cases it should be equivalent to closed TCP port).
  • In some cases, the router simply doesn't reply to UDP scans (for example, if you scan the discard service). This is reported as Open¦Filtered (as the scanner cannot reliably determine whether the probe was dropped due to a filter or simply not replied to).

Note: In any case, UDP scans are way more unreliable than TCP scans due to connectionless nature of UDP.

Below you'll find the debugging outputs for the most common conditions:

Successful TCP scan

Debugged with debug ip tcp packet
tcp0: I LISTEN seq 2116160324
tcp0: O SYNRCVD seq 3992162774
OPTS 4 ACK 2116160325 SYN WIN 4128
tcp0: I SYNRCVD seq 2116160325

TCP scan of a closed port

Debugged with debug ip tcp packet
tcp0: I LISTEN seq 1431055709
TCP: sent RST to from

TCP scan blocked by an access-list

Debugged with debug ip icmp
ICMP: dst ( administratively prohibited unreachable sent to

UDP scan of an unreachable port

Debugged with debug ip udp and debug ip icmp
UDP: rcvd src=, dst=, length=8
ICMP: dst ( port unreachable sent to

1 comment:

  1. Nmap has also a very useful command line option, which helps to understand, which packets the tool has sent/received. It's called --packet-trace. It shows you which packets, nmap is sending and which ones it has received, simmilar to the debug output.


    nmap -sS -n -P0 -p 80 --packet-trace

    Starting Nmap 4.20 ( ) at 2007-06-13 12:42 Westeuropõische S
    SENT (0.5000s) TCP > S ttl=53 id=21245 iplen=44 seq=1230587665 win=2048 mss 1460
    RCVD (0.5160s) TCP > SA ttl=247 id=41420 iplen=44 seq=2583668031 win=4182 ack=1230587666 mss 1394
    Interesting ports on
    80/tcp open http

    Nmap finished: 1 IP address (1 host up) scanned in 0.563 seconds

    best regards,



You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.