Nmap Development mailing list archives

Re: probe for unspecified port

From: Fyodor <fyodor () insecure org>
Date: Sun, 7 Mar 2004 16:57:26 -0800

On Mon, Mar 08, 2004 at 01:40:35AM +0100, Gisle Vanem wrote:


The uptime is based on the Timestamp in the tcp options. Isn't
it? And I must say that doesn't work for all OS'es either.
How can nmap conclude that the TSval is based on a 1000Hz
counter from the time was started? Does RFC-1323 really say this?


Nmap does several probes over a few seconds to determine how fast the
counter is incrementing.  Then it can extrapolate back to when the
counter was zero (generally boot time).  Nmap also used the timestamp
frequency it determines as part of OS fingerprinting.

Cheers,
-F

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org

Current thread:

probe for unspecified port Gisle Vanem (Mar 06)
- <Possible follow-ups>
- probe for unspecified port testic (Mar 06)
  - Re: probe for unspecified port MadHat (Mar 06)
    - Re: probe for unspecified port CBuH. (Mar 07)
    - Re: probe for unspecified port Gisle Vanem (Mar 07)
    - Re: probe for unspecified port Fyodor (Mar 07)