linux tcp stack behavior change

From: Jan Engelhardt
Date: Tue Dec 26 2006 - 21:05:38 EST

Hello list,

I have been noticing that running nmap -sF on oneself does not generate
a reply from the TCP stack on 2.6.18(.5). In other words:

# tcpdump -ni lo &
[1] 32376
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 96 bytes
# nmap localhost -n -sX -p 22
Starting Nmap 4.11 ( ) at 2006-12-27 02:59 CET
02:59:54.199763 IP > FP 2987942575:2987942575(0) win 3072 urg 0

and it just sits there. By chance, I found that passing FIN,ACK gives
the desired effect

# nmap localhost -n -sX -p 22 --scanflags FIN,ACK
Starting Nmap 4.11 ( ) at 2006-12-27 03:01 CET
03:01:28.847871 IP > F 935914709:935914709(0) ack 1975786655 win 4096
03:01:28.847943 IP > R 1975786655:1975786655(0) win 0
Interesting ports on
22/tcp closed ssh
Nmap finished: 1 IP address (1 host up) scanned in 0.071 seconds

However, I know that plain -sF worked with previous kernels. Using
nmap-4.00 on yields the same result, so I do not think it is
caused by a change in nmap code. Could someone with 2.6.13-2.6.17 verify
that the TCP stack returned a RST? Or perhaps someone else actually
knows there was a change in the linux kernel to cause the now-observed

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at