[[Nmap]] Reddit ipaqmaster: It doesn't matter what program you use, the ICMP reject or evidence of a packet drop will still look the same. That said, my favorite method is to `tcpdump icmp` and try to connect to the port, then check who sent me the ICMP reject packet. If it was the host itself then it's the firewall on that host or a configuration issue on the service of that host. If the response came from a gateway IP and not the destination server, it's _that_ machine's firewall, along the way. If you get nothing, the packet was dropped at some point along the way (even possibly the end) a traceroute would be a good idea. (Perhaps even a TCP traceroute using the port number to further see where traffic stops)