Nmap Development mailing list archives
Re: Problem with PCAP in NSE
From: majek04 <majek04+nmap-dev () gmail com>
Date: Thu, 20 Dec 2007 21:20:33 +0100
On 12/20/07, Lionel Cons <lionel.cons () cern ch> wrote:
I've tried to use the PCAP functions in NSE and it seems that there is a problem with the BPF handling. I did specify a correct BPF string and a dummy hash function (returning ""), in the hope that the BPF was enough to ignore unwanted packets. Here is my code: local callback = function(packetsz, layer2, layer3) return "" end pcap:pcap_open(host.interface, 96, 0, callback, string.format("udp and src port 123 and src host %s", host.ip)) However, when scanning several hosts in parallel, some script instances received packets that should have been rejected by the BPF.
Well, it seems that your script is going to open one pcap descriptor for every scanned host, which is not very efficient. I'd suggest to code like this: -- the key is source host field of ip packet. ie 12-15th byte of layer3 (ip) pcap_callback = function(packetsz, layer2, layer3) return string.sub(layer3, 12+1, 15+1) -- indexes begin with 1 (not 0) end ... pcap:pcap_open(host.interface, 96, 0, pcap_callback, "udp and src port 123") pcap:set_timeout(5000) ... pcap:pcap_register(host.bin_ip) Maybe my full example could help you: http://ai.pjwstk.edu.pl/~majek/private/nmap/nse-pcap-u2/partial/pcap-example.nse The result looks like this: Host script results: |_ PCAP example: packet got! (src host 89.171.64.43) packet:4500002..... Nice to hear that someone's interested in pcap-nse :) Marek Majkowski _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Problem with PCAP in NSE Lionel Cons (Dec 20)
- Re: Problem with PCAP in NSE majek04 (Dec 20)
- Re: Problem with PCAP in NSE Lionel Cons (Dec 21)
- Re: Problem with PCAP in NSE majek04 (Dec 20)