Nmap Announce mailing list archives
Re: libpcap change in nmap ?
From: "johann sebastian bach" <jsb4ch () hotmail com>
Date: Fri, 29 Jan 1999 13:25:55 PST
i had some trouble with timing out libpcap in linux as well.. the timeout obviously does not work, and when doing the typical alarm() syscall interrupt pcap_next() or whatever function you're using refuses to return ( if u strace it you will see recvfrom() returns, but then libpcap goes back into another blocking recvfrom()). anyways, i dont think theres a way to get pcap to time out without actually modifying the library, or doing something lame like i did with sscan (i had a sigalrm handler that sent meaningless packets out on the inet interface, which made pcap return)...
From nmap-hackers-return-236-jsb4ch Fri Jan 29 12:23:23 1999 Received: from [128.196.109.24] by hotmail.com (1.1) with SMTP id
MHotMailB87B63B93B7ED101707B80C46D1841460; Fri Jan 29 12:23:23 1999
Received: (qmail 2356 invoked by uid 505); 29 Jan 1999 19:42:24 -0000 Mailing-List: contact nmap-hackers-help () insecure org; run by ezmlm Precedence: bulk Delivered-To: mailing list nmap-hackers () insecure org Delivered-To: moderator for nmap-hackers () insecure org Received: (qmail 680 invoked from network); 29 Jan 1999 18:49:31 -0000 Date: Fri, 29 Jan 1999 10:48:45 -0800 From: Lamont Granquist <lamontg () raven genome washington edu> To: Fyodor <fyodor () dhp com> cc: nmap-hackers () insecure org Subject: Re: libpcap change in nmap ? In-Reply-To: <Pine.LNX.4.04.9901290627100.6955-100000 () shell dhp com> Message-ID:
<Pine.SGI.4.05.9901291036050.680-100000 () raven genome washington edu>
MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII On Fri, 29 Jan 1999, Fyodor wrote:On Thu, 28 Jan 1999, fzef fzef wrote:I want to use the libpcap under linux , but i would like to know what are the change with the libcap modified ? thanks ....The only changes I have made are bugfixes in the Linux specific code.
For
example, the timeout value passed to pcap_open_live is completely
ignored
with the stock libpcap (and nmap uses this timeout extensively).
Patches
have been sent to the maintainers.Actually, I don't think this is a bug. I think its a mis-named
feature.
The "timeout" is the buffering timeout which is passed to BPF or DLPI
and
allows the kernel to spool packets without having to copy each one individually over to userspace. Linux's SOCK_PACKET doesn't do this at all, and does copy each one individually over to userspace --
therefore,
no "timeout." I think that programs are supposed to use that "timeout" value as a suggested value to improve packet filter performance, but that they're supposed to ultimately be responsible for making sure that they're
calling
pcap for long enough, and doing their own timeouts. So I doubt that libpcap will get fixed...Of course, I did not fix all the bugs. Here is one that you can
verify
with normal tcpdump: In window 1 type: tcpdump -i lo "dst host 127.0.0.1" And in window 2: telnet 127.0.0.1 80 You should see the TCP handshaking but instead you see nothing on
most
systems I have tried. This problem seems specific to localhost (note
that
you may have to use a different name than lo). Nmap solves it with
the
ugly solution: if (target->source_ip.s_addr == htonl(0x7F000001)) filter[0] = '\0';Note that 127.0.0.0/8 == 127.0.0.1 according to Stevens, although 127.0.0.1 is the convention (UNP1 pg 891). On other fronts, all this TCP sequence number prediction information
has
got me curious about blind spoofing attacks, and I'm making slow
progress
on it -- but the standard theoretical rsh attack turns out to be a bit more difficult than daemon9 makes it out to be in P48-14. Might be interesting to do something where nmap output could be piped into a sequence number prediction attack engine... -- Lamont Granquist
lamontg () raven genome washington edu
Dept. of Molecular Biotechnology (206)616-5735 fax:
(206)685-7344
Box 352145 / University of Washington / Seattle, WA 98195 PGP pubkey: finger lamontg () raven genome washington edu | pgp -fka
______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
Current thread:
- libpcap change in nmap ? fzef fzef (Jan 28)
- Re: libpcap change in nmap ? Fyodor (Jan 29)
- Re: libpcap change in nmap ? Lamont Granquist (Jan 29)
- Re: libpcap change in nmap ? Fyodor (Jan 29)
- Re: libpcap change in nmap ? Lamont Granquist (Jan 29)
- <Possible follow-ups>
- Re: libpcap change in nmap ? johann sebastian bach (Jan 29)
- Re: libpcap change in nmap ? Fyodor (Jan 29)