How to detect a transparent proxy with nmap

On some networks, the outbound traffic to web servers (ports 80 and 443) might be intercepted on the fly by a transparent proxy.
A simple way to try to detect such a proxy with nmap is to run the following command:

nmap -sT -p 80

Starting Nmap 6.00 ( )
Nmap scan report for (
Host is up (0.00042s latency).
rDNS record for
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds

It tells nmap to initiate a standard TCP connection (-sT) with an NTP server that is far way from me, e.g. China (, on port 80 (-p 80).

In the output of nmap, we can see that:

  • the connection was successful
  • the network latency is 42ms

It’s certain in this case that there is a transparent proxy, because the typical latency from Europe to China is almost 10 times higher (370ms vs. 42ms), and typically, NTP server don’t have their port 80 open.

The reason why this is working is that this transparent proxy will blindly intercept the connections to web servers independently of their existence. It’s only when the client sends the HTTP headers that the proxy will try to contact the remote server.

If you want to double check, you can ping the same server from the command line, that will give you the latency using ICMP packets (instead of TCP):

$ ping
PING 56(84) bytes of data.
64 bytes from ( icmp_seq=1 ttl=46 time=376 ms
64 bytes from ( icmp_seq=2 ttl=46 time=378 ms

Compare this latency with the one from nmap.

You may also call the same nmap command from a host that is known not to be behind a proxy, and compare the results. If one nmap tells the port is open and another one the port is closed, and no firewall comes into play, then  it’s one more sign for a proxy.

So in this case, we are able to prove the existence of the proxy, but be aware that if the results were negative, it wouldn’t prove its absence. The proxy might well behave in a way that is not detectable using this method, for instance if it contacts the target server before replying to the TCP connection request from the client.


This entry was posted in Linux. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s