Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Problem with PCAP in NSE

From: majek04 <majek04+nmap-dev () gmail com>
Date: Thu, 20 Dec 2007 21:20:33 +0100
On 12/20/07, Lionel Cons <lionel.cons () cern ch> wrote:

I've tried to use the PCAP functions in NSE and it seems that there is
a problem with the BPF handling.

I did specify a correct BPF string and a dummy hash function
(returning ""), in the hope that the BPF was enough to ignore unwanted
packets. Here is my code:

        local callback = function(packetsz, layer2, layer3)
                return ""
        end

        pcap:pcap_open(host.interface, 96, 0, callback,
                string.format("udp and src port 123 and src host %s", host.ip))

However, when scanning several hosts in parallel, some script
instances received packets that should have been rejected by the BPF.


Well, it seems that your script is going to open one pcap descriptor
for every scanned host, which is not very efficient.

I'd suggest to code like this:

-- the key is source host field of ip packet. ie 12-15th byte of layer3 (ip)
pcap_callback = function(packetsz, layer2, layer3)
        return string.sub(layer3, 12+1, 15+1) -- indexes begin with 1 (not 0)
end

...
        pcap:pcap_open(host.interface, 96, 0, pcap_callback, "udp and
src port 123")
        pcap:set_timeout(5000)

 ...
         pcap:pcap_register(host.bin_ip)



Maybe my full example could help you:
http://ai.pjwstk.edu.pl/~majek/private/nmap/nse-pcap-u2/partial/pcap-example.nse

The result looks like this:
Host script results:
|_ PCAP example: packet got! (src host 89.171.64.43) packet:4500002.....


Nice to hear that someone's interested in pcap-nse :)

Marek Majkowski

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: