nmap on Redhat?

Wes Bateman wrote:
>
>
> If you really don't trust the box, then in addition to the nmap scan, I
> wouldn't trust anything the running kernel told you (or told your
> userspace tools like ps, netstat, etc.). Rather, I'd boot from trusted
> media (like a rescue disk) or pull the drive and mount it in a trusted
> host. Then you can really be certain that what you see is what you
> get/have ;) But that's me, YPMV (your paranoia may vary) ;D
>
---
If you really don't trust the box, the solution is even simpler - back
up data - reload. I hope that what you meant to say was, if you are
suspicious.
---
> I might also throw a sniffer on the network(s) that the host is connected
> to and capture all traffic for a period. Then you could see illicit icmp,
> udp, ecp, etc. traffic going on, in addition to the tcp stuff you scanned
> for with nmap. You could scan udp with nmap...but that can take a
> painfully long time :) UDP has no way to say "rst" on its own ;) Anyhow,
> if you do sniff the traffic, you probably want a snaplen of 1514 or so
> (1500 MTU for ethernet, plus the 14 bytes for the ethernet frame
> header). If it's a real busy network segment, then you might not be able
> to do that. In that case you could set a snaplen of 96 or something and
> get all the headers, and a little peak at the contents. Of course, when
> you see something interesting on the wire, you'll be kicking yourself for
> not having the whole packets. Ah, the trials and tribulations of a
> network voyeur ;D
>
---
a network voyeur 'eh? Sounds rather deprecated.

Thanks Wes, for the great explanation, I am continually learning and
there are some really great resources on this list.

Craig