Re: Patch/Feature req.: Multiple ports when doing raw tcp ping

[Fyodor <fyodor () insecure org>]

On Thu, Dec 19, 2002 at 09:58:43AM -0700, Gabriel L. Somlo wrote:
> I'm wondering if it may not be worth allowing for *several* tcp ports
> to use when doing tcp pings.

I agree, and have been hoping to improve host enumeration like this
for a while.  I have applied your patch, and the next step will be to
allow the pingtype options to be used in combination rather than being
mutually exclusive.  I would like to be able to do a command like:

nmap -PS22,53,80 -PT113 -PN -PE microsoft.com/16

Your patch doesn't address the timing issues related to sending all of
these new packiets.  I don't blame you, since that code is voodoo
magic that even I barely understand :).  But it caused packet loss on
restricted bandwidth connections (eg cable modem, DSL):

./nmap -sP -n 208.37.136.\* -PT80 --packet_trace
[ ... ]
Nmap run completed -- 256 IP addresses (22 hosts up) scanned in 5.183
seconds

./nmap -sP -n 208.37.136.\* -PT50,60,70,80,90 --packet_trace
[ ... ]
Nmap run completed -- 256 IP addresses (12 hosts up) scanned in 6.715
seconds

I reworked the "ping scan" algorithm quite a bit so that it should be
more accurate in the default and multi-port cases.  It is now working
pretty well for me, but I have more testing to do before an "official"
release.  For now, developers can test the changes in 3.10ALPHA8,
which I just put up at:

http://download.insecure.org/nmap/dist/nmap-3.10ALPHA8.tgz

If anyone (like me) has nothing better to do on Xmas eve, please test
this out and let me know if you notice any problems (especially
ping-scan related).

Thanks for the patch, and happy holidays everyone!

Cheers,
Fyodor

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).