Scanning using a specified network interface
Nmap is known for its flexibility, and allows users to specify the network interface used when scanning. This is very handy when running some of the sniffer NSE scripts, discovering whether your interface supports the promiscuous mode, or when testing a network connection with routing problems.
The following recipe describes how to force Nmap to scan using a specified network interface.
How to do it...
Open your terminal and enter the following command:
$ nmap -e <INTERFACE> scanme.nmap.org
This will force Nmap to perform a TCP scan of scanme.nmap.org using the interface <INTERFACE>.
How it works...
The flag -e is used to set a specific network interface when Nmap is unable to select one automatically. The existence of this flag allows Nmap to send and receive packets through an alternate interface.
There's more...
If you need to select your interface manually, you will see the following message:
WARNING: Unable to find appropriate interface for system route to ...
Checking a TCP connection
To check if a network interface can communicate with your network, you could try a ping scan that forces Nmap to use a specified interface:
$ nmap -sP -e INTERFACE 192.168.1.254 --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 max-scan-delay: TCP 1000, UDP 1000, SCTP 1000 parallelism: min 0, max 0 max-retries: 10, host-timeout: 0 min-rate: 0, max-rate: 0 --------------------------------------------- Initiating ARP Ping Scan at 02:46 Scanning 192.168.1.254 [1 port] Packet capture filter (device wlan2): arp and arp[18:4] = 0x00C0CA50 and arp[22:2] = 0xE567 Completed ARP Ping Scan at 02:46, 0.06s elapsed (1 total hosts) Overall sending rates: 16.76 packets / s, 704.05 bytes / s. mass_rdns: Using DNS server 192.168.1.254 Initiating Parallel DNS resolution of 1 host. at 02:46 mass_rdns: 0.03s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1] Completed Parallel DNS resolution of 1 host. at 02:46, 0.03s elapsed DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] Nmap scan report for 192.168.1.254 Host is up, received arp-response (0.0017s latency). MAC Address: 5C:4C:A9:F2:DC:7C (Huawei Device Co.) Final times for host: srtt: 1731 rttvar: 5000 to: 100000 Read from /usr/local/bin/../share/nmap: nmap-mac-prefixes nmap-payloads. Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds Raw packets sent: 1 (28B) | Rcvd: 1 (28B)
See also
The Running NSE scripts recipe
The Scanning using specific port ranges recipe
The Hiding our traffic with additional random data recipe in Chapter 2, Network Exploration
The Forcing DNS resolution recipe in Chapter 2, Network Exploration
The Excluding hosts from your scans recipe in Chapter 2, Network Exploration
The Brute forcing DNS records recipe in Chapter 3, Gathering Additional Host Information
The Fingerprinting the operative system of a host recipe in Chapter 3, Gathering Additional Host Information
The Discovering UDP services recipe in Chapter 3, Gathering Additional Host Information
The Listing the protocols supported by a remote host recipe in Chapter 3, Gathering Additional Host Information
