UDP payloads: nmap-payloads

The nmap-payloads file contains the protocol-specific payloads sent with some UDP probes. UDP scanning is difficult because most services don't send a reply to an empty probe, making it impossible to distinguish open and filtered ports. For some ports, Nmap knows a payload that is safe to send and tends to elicit a positive response. The payloads are stored in this file. Example 14.5 shows a sample payload entry.

Example 14.5. Excerpt from nmap-payloads
# Routing Information Protocol version 1. Special-case request for the entire
# routing table (address family 0, address 0.0.0.0, metric 16). RFC 1058,
# section 3.4.1.
udp 520
  "\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  "\x00\x00\x00\x00\x00\x00\x00\x10"

Each entry begins with a protocol name (only udp is supported), followed by a comma-separated list of ports. After that comes the payload data, as one or more C-style quoted strings that will be concatenated. Comments preceding each entry typically say what the probe means and what kind of response is expected.