Network Uptime

CHAPTER 7: REAL-TIME INFORMATION OPTIONS
During an nmap scan, there's a lot of activity happening under the hood. These real-time information options provide the nmap user with customizable output relating to the scan and its processing. Some of these options should be used with every scan, and some of these options will never be utilized by most nmap users.


Verbose Mode (--verbose, -v)
Nmap's verbose mode provides the option of obtaining additional detail in the scan output. The verbose mode doesn't change what occurs during the scan, it only changes the amount of information that nmap displays on its output.

There are three level of verbosity; none, level 1, and level 2. Level 1 verbosity displays nearly all verbose text, and level 2 includes TCP IPID sequencing information, version scanning service matching limits, and additional OS fingerprinting details. In most cases, level two verbosity can be selected for every nmap scan without creating an overwhelming amount of output.

The verbosity levels are based on how many times the --verbose option is invoked on the nmap command line. Although it's possible to request a verbosity level higher than 2, there doesn't appear to be anything in the source code that would support any additional verbosity.

The following nmap command lines all specify level 2 verbosity:

# nmap 192.168.0.1 --verbose --verbose
# nmap 192.168.0.1 -v -v
# nmap 192.168.0.1 -v -verbose
# nmap 192.168.0.1 -vv

When the XML output option is selected (-oX), the verbosity level is written to the XML file. The value is referenced in the "verbose level" tag:

<verbose level="1" />

---

A single use of the --debug option will increase the verbosity level by one. Conversely, increasing the verbosity level does not affect the debug level.

---

The --verbose option doesn't add a lot of text to nmap's stdout output, and it's sometimes useful to have the additional information after the nmap scan is complete. Since the verbose information isn't added to the nmap output files (i.e, -oA), the nmap stdout output should be piped to a file from the nmap command line. In most cases, the -vv option should be used unless detailed nmap statistics aren't required.


Version Trace (--version_trace)
Using the --version_trace option during a version detection scan (-sV) creates an extensive trace that details the versioning processes through every step. As nmap queries the application on the remote device, the application requests and responses are written to stdout.

---

This information is never included in an nmap output file (i.e., -oA). If the version trace information needs to be referenced later, the nmap stdout output should be piped to a file from the nmap command line. One simple method to do this is to use a greater-than sign to redirect the output:

# nmap –vv –sV 192.168.0.1 –oA output --version_trace > nmap_output.txt

---

An excerpt of the --version_trace output is shown below:

Initiating service scan against 1 service on 192.168.0.1 at 17:10
NSOCK (1.5520s) TCP connection requested to 192.168.0.1:80 (IOD #1) EID 8
NSOCK (1.5520s) nsock_loop() started (no timeout). 1 events pending
NSOCK (1.5550s) Callback: CONNECT SUCCESS for EID 8 [192.168.0.1:80]
NSOCK (1.5550s) Read request from IOD #1 [192.168.0.1:80] (timeout: 5000ms) EID 18
NSOCK (6.5540s) Callback: READ TIMEOUT for EID 18 [192.168.0.1:80]
NSOCK (6.5540s) Write request for 18 bytes to IOD #1 EID 27 [192.168.0.1:80]: GET / HTTP/1.0....
NSOCK (6.5540s) Read request from IOD #1 [192.168.0.1:80] (timeout: 5000ms) EID 34
NSOCK (6.5550s) Callback: WRITE SUCCESS for EID 27 [192.168.0.1:80]
NSOCK (6.6430s) Callback: READ SUCCESS for EID 34 [192.168.0.1:80] (123 bytes)
NSOCK (6.6430s) Read request from IOD #1 [192.168.0.1:80] (timeout: 4910ms) EID 42
NSOCK (6.6670s) Callback: READ SUCCESS for EID 42 [192.168.0.1:80] (16 bytes): 401 Unauthorized
NSOCK (6.6670s) Read request from IOD #1 [192.168.0.1:80] (timeout: 4886ms) EID 50
NSOCK (6.6690s) Callback: READ EOF for EID 50 [192.168.0.1:80]
NSOCK (6.6690s) TCP connection requested to 192.168.0.1:80 (IOD #2) EID 56
NSOCK (6.6700s) Callback: CONNECT SUCCESS for EID 56 [192.168.0.1:80]
NSOCK (6.6700s) Write request for 22 bytes to IOD #2 EID 67 [192.168.0.1:80]: OPTIONS / HTTP/1.0....
NSOCK (6.6700s) Read request from IOD #2 [192.168.0.1:80] (timeout: 5000ms) EID 74
NSOCK (6.6710s) Callback: WRITE SUCCESS for EID 67 [192.168.0.1:80]
NSOCK (6.7400s) Callback: READ EOF for EID 74 [192.168.0.1:80]
NSOCK (6.7400s) TCP connection requested to 192.168.0.1:80 (IOD #3) EID 80
NSOCK (6.7420s) Callback: CONNECT SUCCESS for EID 80 [192.168.0.1:80]

Although the version trace information shows similar information to the --packet_trace function, this version trace output does not display a packet-level view of the application conversation. Even with --packet_trace enabled, the version detection output will never include packet-level detail in neither nmap output files nor stdout output.