Nmap Development mailing list archives

Re: Possible WinPcap problems

From: "Jamie Gavahan" <redpike () gmail com>
Date: Sat, 6 May 2006 14:02:41 -0500

On 5/5/06, John Crichton <ti86macos () hotmail com> wrote:


On May 4, 2006, at 1:17 AM, AgentSmith15 wrote:

> Do you have a WRT54G router by any chance? Do you think that this
> could be the cause of the problem?

No, I have a netgear WGR614.

Heres the result for the packet trace scan

 nmap -p20-26 -sV -r --packet-trace scanme.nmap.org

Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2006-05-04
15:32 CDT
NSOCK (2.5630s) UDP connection requested to 192.168.0.1:53 (IOD #1)
EID 8
NSOCK (2.5630s) Read request from IOD #1 [192.168.0.1:53] (timeout:
-1ms) EID 18
Stats: 0:00:02 elapsed; 0 hosts completed (0 up), 0 undergoing ACK Scan
System DNS resolution Timing: About 0.00% done; ETC: 19:01
(-596:-31:-23 remaining)
NSOCK (2.5630s) Write request for 45 bytes to IOD #1 EID 27
[192.168.0.1:53]: .s...........62.153.217.205.in-addr.arpa.....
NSOCK (2.5670s) nsock_loop() started (timeout=500ms). 3 events pending
NSOCK (2.5670s) Callback: CONNECT SUCCESS for EID 8 [192.168.0.1:53]
NSOCK (2.5670s) Callback: WRITE SUCCESS for EID 27 [192.168.0.1:53]
NSOCK (2.7540s) Callback: READ SUCCESS for EID 18 [192.168.0.1:53]
(169 bytes)
NSOCK (2.7540s) Read request from IOD #1 [192.168.0.1:53] (timeout:
-1ms) EID 34
CONN (2.9600s) TCP localhost > 205.217.153.62:20 => Operation now in
progress
CONN (2.9610s) TCP localhost > 205.217.153.62:21 => Operation now in
progress
CONN (2.9620s) TCP localhost > 205.217.153.62:22 => Operation now in
progress
CONN (2.9620s) TCP localhost > 205.217.153.62:23 => Operation now in
progress
CONN (2.9630s) TCP localhost > 205.217.153.62:24 => Operation now in
progress
CONN (2.9630s) TCP localhost > 205.217.153.62:25 => Operation now in
progress
CONN (2.9640s) TCP localhost > 205.217.153.62:26 => Operation now in
progress
CONN (4.2490s) TCP localhost > 205.217.153.62:26 => Operation now in
progress
CONN (4.2500s) TCP localhost > 205.217.153.62:24 => Operation now in
progress
CONN (4.2510s) TCP localhost > 205.217.153.62:23 => Operation now in
progress
CONN (4.2510s) TCP localhost > 205.217.153.62:21 => Operation now in
progress
CONN (4.2520s) TCP localhost > 205.217.153.62:20 => Operation now in
progress
NSOCK (14.7310s) TCP connection requested to 205.217.153.62:22 (IOD
#1) EID 8
NSOCK (14.7320s) nsock_loop() started (no timeout). 1 events pending
NSOCK (14.8150s) Callback: CONNECT SUCCESS for EID 8 [205.217.153.62:22]
NSOCK (14.8150s) Read request from IOD #1 [205.217.153.62:22]
(timeout: 6000ms) EID 18
NSOCK (14.8870s) Callback: READ SUCCESS for EID 18
[205.217.153.62:22] (20 bytes): SSH-2.0-OpenSSH_4.3.
Interesting ports on scanme.nmap.org (205.217.153.62):
PORT   STATE    SERVICE   VERSION
20/tcp filtered ftp-data
21/tcp filtered ftp
22/tcp open     ssh       OpenSSH 4.3 (protocol 2.0)
23/tcp filtered telnet
24/tcp filtered priv-mail
25/tcp closed   smtp
26/tcp filtered unknown

Nmap finished: 1 IP address (1 host up) scanned in 14.960 seconds


On short scans, I do not see the problem occur, only on default scan
of all of nmaps 1670 some odd ports.


I also have experienced this problem, both after compiling from
source, and from the pre-compiled binaries.  I have a Windows XP Pro
SP2 laptop with the windows firewall disabled.  My router is also a
Netgear WRG614.  It is version 5 with the latest firmware.  The SPI
firewall is disabled on the router.

Here's my output from a packet trace:

nmap -p20-26 -sV -r --packet-trace scanme.insecure.org

Starting Nmap 4.03 ( http://www.insecure.org/nmap ) at 2006-05-06 13:42 Central
Daylight Time
SENT (0.2810s) ICMP 10.0.0.2 > 205.217.153.62 Echo request (type=8/code=0) ttl=4
5 id=5357 iplen=28
SENT (0.2810s) TCP 10.0.0.2:61300 > 205.217.153.62:80 A ttl=52 id=52485 iplen=40
seq=319111262 win=1024 ack=512049246
RCVD (0.4060s) ICMP 205.217.153.62 > 10.0.0.2 Echo reply (type=0/code=0) ttl=44
id=12786 iplen=28
NSOCK (0.9060s) UDP connection requested to 10.0.0.1:53 (IOD #1) EID 8
NSOCK (0.9060s) Read request from IOD #1 [10.0.0.1:53] (timeout: -1ms) EID 18
NSOCK (0.9060s) Write request for 45 bytes to IOD #1 EID 27 [10.0.0.1:53]: 6c...
........62.153.217.205.in-addr.arpa.....
NSOCK (0.9060s) nsock_loop() started (timeout=500ms). 3 events pending
NSOCK (0.9060s) Callback: CONNECT SUCCESS for EID 8 [10.0.0.1:53]
NSOCK (0.9060s) Callback: WRITE SUCCESS for EID 27 [10.0.0.1:53]
NSOCK (0.9690s) Callback: READ SUCCESS for EID 18 [10.0.0.1:53] (169 bytes)
NSOCK (0.9690s) Read request from IOD #1 [10.0.0.1:53] (timeout: -1ms) EID 34
SENT (0.9840s) TCP 10.0.0.2:61278 > 205.217.153.62:20 S ttl=40 id=49014 iplen=44
seq=964039243 win=1024
SENT (0.9840s) TCP 10.0.0.2:61278 > 205.217.153.62:21 S ttl=58 id=4937 iplen=44
seq=964039243 win=3072
SENT (0.9840s) TCP 10.0.0.2:61278 > 205.217.153.62:22 S ttl=47 id=6674 iplen=44
seq=964039243 win=4096
SENT (0.9840s) TCP 10.0.0.2:61278 > 205.217.153.62:23 S ttl=57 id=31282 iplen=44
seq=964039243 win=2048
SENT (0.9840s) TCP 10.0.0.2:61278 > 205.217.153.62:24 S ttl=57 id=61745 iplen=44
seq=964039243 win=2048
SENT (0.9840s) TCP 10.0.0.2:61278 > 205.217.153.62:25 S ttl=45 id=38522 iplen=44
seq=964039243 win=2048
SENT (0.9840s) TCP 10.0.0.2:61278 > 205.217.153.62:26 S ttl=51 id=25177 iplen=44
seq=964039243 win=4096
RCVD (1.0940s) TCP 205.217.153.62:22 > 10.0.0.2:61278 SA ttl=44 id=12794 iplen=4
4 seq=4093108198 win=5840 ack=964039244
SENT (2.5150s) TCP 10.0.0.2:61279 > 205.217.153.62:26 S ttl=37 id=61031 iplen=44
seq=964104778 win=2048
SENT (2.5150s) TCP 10.0.0.2:61279 > 205.217.153.62:25 S ttl=46 id=32323 iplen=44
seq=964104778 win=3072
SENT (2.5310s) TCP 10.0.0.2:61279 > 205.217.153.62:24 S ttl=48 id=16181 iplen=44
seq=964104778 win=1024
SENT (2.5470s) TCP 10.0.0.2:61279 > 205.217.153.62:23 S ttl=47 id=52527 iplen=44
seq=964104778 win=4096
SENT (2.5620s) TCP 10.0.0.2:61279 > 205.217.153.62:21 S ttl=42 id=63557 iplen=44
seq=964104778 win=3072
SENT (2.5620s) TCP 10.0.0.2:61279 > 205.217.153.62:20 S ttl=46 id=51326 iplen=44
seq=964104778 win=3072
NSOCK (3.9370s) TCP connection requested to 205.217.153.62:22 (IOD #1) EID 8
NSOCK (3.9370s) nsock_loop() started (no timeout). 1 events pending
NSOCK (4.0470s) Callback: CONNECT SUCCESS for EID 8 [205.217.153.62:22]
NSOCK (4.0470s) Read request from IOD #1 [205.217.153.62:22] (timeout: 6000ms) E
ID 18
NSOCK (4.1720s) Callback: READ SUCCESS for EID 18 [205.217.153.62:22] (20 bytes)
: SSH-2.0-OpenSSH_4.3.
Interesting ports on scanme.nmap.org (205.217.153.62):
PORT   STATE    SERVICE   VERSION
20/tcp filtered ftp-data
21/tcp filtered ftp
22/tcp open     ssh       OpenSSH 4.3 (protocol 2.0)
23/tcp filtered telnet
24/tcp filtered priv-mail
25/tcp filtered smtp
26/tcp filtered unknown

Nmap finished: 1 IP address (1 host up) scanned in 4.203 seconds


Also, I experience the problem while trying just operating system
fingerprinting on scanme.insecure.org.  The output is attached.  I
used the command:

nmap -P0 -O -oN nmap.log scanme.isecure.org

-Jamie



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev

Current thread:

Possible WinPcap problems AgentSmith15 (May 01)
- Re: Possible WinPcap problems Fyodor (May 02)
  - Message not available
    - Re: Possible WinPcap problems AgentSmith15 (May 02)
  - Re: Possible WinPcap problems AgentSmith15 (May 02)
    - Re: Possible WinPcap problems John Crichton (May 02)
    - Re: Possible WinPcap problems 王敬 (May 02)
    - Message not available
    - Re: Possible WinPcap problems AgentSmith15 (May 04)
    - Message not available
    - Message not available
    - Re: Possible WinPcap problems John Crichton (May 05)
    - Message not available
    - Message not available
    - Message not available
    - Re: Possible WinPcap problems Jamie Gavahan (May 06)