Chapter 1: The Basics

To understand how nmap works, one must also understand the fundamentals of TCP/IP. Nmap uses TCP/IP protocols to query workstations and the responses are interpreted into useful security information. All of the wonderful information that nmap discovers is related to these intricate conversations between nmap and the remote devices.


All computers using the TCP/IP family of protocols follow standard processes when initiating network conversations. Ideally, these processes would be identical regardless of operating system, software version, or hardware manufacturer. In the networking world, however, not every system works exactly the same way. Although these minor differences would usually be considered problematic, nmap takes advantage of these anomalies to provide additional information about the remote system.


The TCP/IP protocols aren't difficult to understand, but each protocol is unique and has its own set of rules and procedures. Once the basics of these protocols are understood, the fundamental operation of nmap becomes much easier to follow. If you're new to networking, don't skip this section!


Internet Protocol

For data to move across the Internet, each device must have an Internet Protocol (IP) address. At its most basic level, IP is a truck-for-hire that carries data shipments across the roads of the network. IP doesn't care what's in the back of the truck; its only goal is to make sure that the truck and its cargo of data get safely from one side of the network to the other.

Just like a real truck, every IP truck needs a starting address to pick up the shipment and a final destination address where the data will be unloaded. In the real world, we think of these as street addresses. In the TCP/IP world, these addresses are usually represented as four decimal numbers between 0 and 255, such as 192.168.0.1 or 10.155.232.17. Before a station can communicate across the network, the IP address of the destination station must be identified so the IP truck will know where to drive. You wouldn't take a trip without knowing where you were going!

The Internet connects many different networks together with devices called routers. As the IP truck drives through the network, it stops at each router to ask for directions. The IP truck also traverses other devices called firewalls or packet filters. As the IP truck travels along its way, a router or firewall may decide that the IP truck's packet isn't permitted to drive along this particular part of the network. If this happens, the firewall or packet filter will obliterate the IP truck from the network, usually without any message back to the originating station. The truck and all of its data are usually never heard from again. Firewalls consistently drop packets from the network, and this often assists nmap in determining if a port is open, closed, or filtered.