IP Protocol Scans [-sO]

The IP Protocol Scans attempt to determine the IP protocols supported on a target. Nmap sends a raw IP packet without any additional protocol header (see a good TCP/IP book for information about IP packets), to each protocol on the target machine. Receipt of an ICMP Protocol Unreachable message tells us the protocol is not in use, otherwise it is assumed open. Not all hosts send ICMP Protocol Unreachable messages. These may include firewalls, AIX, HP-UX and Digital UNIX). These machines will report all protocols open.

This scan type also falls victim to the ICMP limiting rate described in the UDP scans section, however since only 256 protocols are possible (8-bit field for IP protocol in the IP header) it should not take too long.

Results of an -sO on my Linux workstation are included below.

[chaos]# nmap -sO 127.0.0.1

Starting Nmap 4.01 at 2006-07-14 12:56 BST
Interesting protocols on chaos(127.0.0.1):
(The 251 protocols scanned but not shown below are
	in state: closed)
PROTOCOL STATE         SERVICE
1        open          icmp                    
2        open|filtered igmp                    
6        open          tcp                     
17       open          udp                     
255      open|filtered unknown                 

Nmap finished: 1 IP address (1 host up) scanned in
	1.259 seconds