IP Protocol Scan (-sO)
Requires Privileged Access: YES
Identifies TCP Ports: NO
Identifies UDP Ports: NO

The IP protocol scan is a bit different than the other nmap scans. The IP protocol scan is searching for additional IP protocols in use by the remote station, such as ICMP, TCP, and UDP. If a router is scanned, additional IP protocols such as EGP or IGP may be identified.


The list of IP protocols is found in the nmap-protocols file. If the nmap-protocols file isn't found, nmap reverts to the /etc/protocols file.


IP Protocol Scan Operation
An unavailable IP protocol does not respond to the scan. The MAC addresses are displayed to emphasize the IP layer conversation that occurs between the stations:

sO_no_response
Source        Destination    Summary 
--------------------------------------------------------------------------------------
Intel 756B89 SprMcr11AB5A  IP: D=[192.168.0.10] S=[192.168.0.8] [0x22: xns-idp]
An available IP Protocol provides a response specific to the protocol type:

sO_response
Source          Destination     Summary 
--------------------------------------------------------------------------------------
[192.168.0.8]  [192.168.0.10] TCP: D=44860 S=44860 ACK=637252255 WIN=1024
[192.168.0.10] [192.168.0.8]  TCP: D=44860 S=44860 RST WIN=0
The nmap output shows the IP protocol types available on a Windows-based workstation:
# nmap -sO -v 192.168.0.10

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-04-11 12:46 EDT
Initiating IPProto Scan against 192.168.0.10 [256 ports] at 12:46
Discovered open port 6/ip on 192.168.0.10
Discovered open port 1/ip on 192.168.0.10
The IPProto Scan took 5.70s to scan 256 total ports.
Host 192.168.0.10 appears to be up ... good.
Interesting protocols on 192.168.0.10:
(The 253 protocols scanned but not shown below are in state: open|filtered)
PROTOCOL STATE    SERVICE
1        open     icmp
6        open     tcp
17       filtered udp
MAC Address: 00:30:48:11:AB:5A (Supermicro Computer)

Nmap finished: 1 IP address (1 host up) scanned in 6.620 seconds
               Raw packets sent: 511 (10.3KB) | Rcvd: 4 (194B)
#

Advantages of the IP Protocol Scan
The IP protocol scan locates uncommon IP protocols that may be in use on a system. These are often found on routers and switches that are configured with additional IP protocol support, such as EGP or IGP. Locating these additional protocols can help determine if the destination device is a workstation, a printer, or a router.

Disadvantages of the IP Protocol Scan
When looking at a packet trace, an IP protocol scan looks fairly obvious. Since most networking protocols are based on TCP or UDP, any deviation from those two protocol types is conspicuous. This scan will certainly appear on any network monitoring application that identifies the IP protocol types in use.

This is a sample trace file output from the IP protocol scan. Although the decode summary doesn't show a specific IP protocol value, the source and destination MAC addresses show that this is no ordinary IP conversation.
Source        Destination   Summary 
--------------------------------------------------------------------------------------
Intel 756B89 SprMcr11AB5A IP: D=[192.168.0.10] S=[192.168.0.8] LEN=0 ID=9584
Intel 756B89 SprMcr11AB5A IP: D=[192.168.0.10] S=[192.168.0.8] LEN=0 ID=27294
Intel 756B89 SprMcr11AB5A IP: D=[192.168.0.10] S=[192.168.0.8] LEN=0 ID=13528
Intel 756B89 SprMcr11AB5A IP: D=[192.168.0.10] S=[192.168.0.8] LEN=0 ID=36967
Intel 756B89 SprMcr11AB5A IP: D=[192.168.0.10] S=[192.168.0.8] LEN=0 ID=33258
Intel 756B89 SprMcr11AB5A IP: D=[192.168.0.10] S=[192.168.0.8] LEN=0 ID=10186
Intel 756B89 SprMcr11AB5A IP: D=[192.168.0.10] S=[192.168.0.8] LEN=0 ID=43896
Since this scan locates IP protocols and doesn't identify open TCP or UDP ports, other scan types will not run in conjunction with the IP protocol scan. If other scan types are specified on the command line with the IP protocol scan, the scan does not run and the following error message is displayed:
Sorry, the IPProtoscan, Listscan, and Pingscan (-sO, -sL, -sP) must currently be used alone rather than combined with other scan types.
QUITTING!

When to use the IP Protocol Scan
The IP protocol scan is useful when looking for "other" protocols that might be in use. If a device is suspected to be a router, the IP protocol scan can locate router protocols that would assist with the identification process.