nmap not detecting clearly open udp port

I've opened port 4000 on my local machine as follows:

nc -lvup 4000

and then attempted to connected to the same port as follows:

nc -vu 127.0.0.1 4000

and was able to successfully connect and send and receive text back and forth. However when I listen on the same port as shown in the first snippet and then attempt a UDP scan using

nmap -sU 127.0.0.1 -p 4000

The result is as below:

Nmap scan report for localhost (127.0.0.1)
Host is up (0.000061s latency).

PORT     STATE  SERVICE
4000/udp closed icq

Shouldnt it say open since the port is clearly open as established by the first test? Please make it make sense as I'm truely stumped by this.


No. You don't understand what's happening. This is UDP, there is no connections.

When you run second nc and type something into it, it just sends packets. Then you by other means (seeing to other side of communication, e.g. to another computer screen) confirm the communication takes place. If there were no "listening" nc, the "sending" nc would happily send the same packets, without any clue if these were received or dropped.

So does nmap. It send packets, doesn't see any answers and decides its packets just vanished into black hole.

This is UDP, it is like this. It has no intrinsic confirmation of reception. If the application needs it, it does confirmations itself. And since we have no application level protocol to do it here, so nmap sees no answer, no "open port" detected.

In comparison, TCP has confirmations (ACKs) built in, that's why we can reliably detect if the port is open.