FAQ filtered

From SecWiki
Jump to: navigation, search

Why does Nmap show some of my ports as "filtered"?

Nmap shows a port as filtered if it believes that a firewall is preventing communication with the port. This can be a result of an ICMP packet response (Type 3, Code 13, for instance), but it can also be because no response was received at all. In particular, if you skipped the host discovery phase with -Pn, it could mean that the host is down or does not exist.

If you are scanning across the Internet, it's very possible that your ISP is filtering some ports, either to protect its customers or to encourage businesses to purchase business-tier services. Common ports that are blocked are 25/tcp (smtp), 445/tcp (Windows SMB), and 80/tcp (http).

The other reason for some ports showing as filtered is packet loss. Nmap usually does a good job of detecting and retransmitting dropped packets, but if you use aggressive timing options like -T5 or --max-retries, then you can expect that some uncorrected packet loss will still happen, leading to ports that show as filtered.