Nmap Development mailing list archives
Re: nmap sending encapsulated packets
From: Kris Katterjohn <katterjohn () gmail com>
Date: Wed, 02 Apr 2008 18:51:28 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mike Lude wrote:
Now with almost any scan I do (for example, nmap -T Aggressive -O -v 192.168.155.22) it says that it can't find the host, and when I add the suggested -PN parameter it lists all ports as filtered, even though I have a perfectly accessible webserver running on the host to be scanned. So, I break out wireshark to see what's going on, and trace what nmap is sending and what I am receiving at the host. Every single outgoing packet is encapsulated, with a protocol of 0xFF. Here's a hex dump of the first packet sent: 0000 9c f4 20 00 03 00 03 00 03 00 00 00 08 00 45 00 0010 00 3c 94 91 00 00 80 ff ed 8c c0 a8 9b 3d c0 a8 0020 9b 16 45 00 00 28 71 62 00 00 2c 06 65 c9 c0 a8 0030 9b 3d c0 a8 9b 16 d3 0d 00 50 79 f3 1a 0a 00 00 0040 42 ba 50 10 04 00 4a 1a 00 00 This matches exactly with what I see on the host being scanned.
Hmm.. I don't know; hopefully somebody else on this list can say something definitive. Here's what I'd try: 1) Obviously, make sure any firewalls and other network trickery are turned off. 2a) Run Nmap with as few options as possible (no timing options, no OS detection, etc). You probably want to narrow down the port ranges (-p) though, for ease of examination. 2b) While running, use Nmap's --packet-trace option and Wireshark to watch the packets. See what Nmap says it's sending and see what Wireshark actually reads. --packet-trace won't give you a full packet dump, but using it should tell you what Nmap thinks it's doing.
This explains the "filtered" messages (the scanned host dropped all of the packets on the floor due to unrecognized protocol) but I've clearly got something very screwed up. What am I doing wrong?
Not just an unrecognized protocol, but if I'm not mistaken protocol 0xFF should never actually be sent over a network. I think the old hack (1980's) for sending raw IP packets w/headers involved patching the kernel and setting the socket() protocol field to 0xFF since it should never be used for anything.
Again, I'm on WinXP SP2 with all of the latest fixes. /Mike Ludé
Thanks, Kris Katterjohn -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBR/Qb//9K37xXYl36AQIRQA//Qo4WwgHzd5+pNYcMQ3h66jNLaQ5v9cCS SNW1Gh2GH5T4/lHd76ax6YedG7NBbjyzoTshWk4VLO+1YZ/hVFoZcEs2wOU2dR7i r7O9UJxAVa7ND4eUH7G9B316u5G1ksNXIDCda1bn48Y0PSPXXx/66TUij01OVals f5Z9V/A3BT9D3RuNsaCWHvkbi6/nZ7Ve/8/ZzkaWJQh+xTm/R3q8uPMz7EeyGHB+ xYV5wB5zCYxsk1FxvdKrFDlheOpfRkq8QGd1Tz6L71OGTwPSbClJspSG8zQ+SZ37 ZK7O7wFWsiHNwj9VCSUVCWIz3KZLrS83XgaClQfpaaMPwlPhSyoDnJ3A4Grg6cMJ 6c06rPy/9qSbkyMXs8REqiJ7U4HrF7AgBMZzYP74oYuw6x8uiTH0gpd1Yyzpr3bH 54mws0LGauOasRL54foErJ+COjClzG8aZHLIOZcCl0dXTQ1d/j7eTzCG7gC7MS/8 IycSYhbyBtU16zARSh0bh5AeZEGWKJBfhZo3gUYfKrzkr9Xp2fvbB1MtQr27PO3t xHeDG1VJ6xLrE6mf0rxoIgX4rcvDkfch9nSQk3oAo4p7+oGmR87FrOytZ1gpcZ+3 tXacrViavbjjvzXpQLk+H7ypSioxT4iXioCal5AGHcdzAlWH+wpilTRxrRGgEEqN p8MDj+V70dE= =RBhL -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- nmap sending encapsulated packets Mike Lude (Apr 02)
- Re: nmap sending encapsulated packets Kris Katterjohn (Apr 02)
- Re: nmap sending encapsulated packets David Fifield (Apr 02)
- Re: nmap sending encapsulated packets Mike Lude (Apr 02)
- Re: nmap sending encapsulated packets David Fifield (Apr 02)
- Re: nmap sending encapsulated packets Mike Lude (Apr 03)
- RE: nmap sending encapsulated packets Rob Nicholls (Apr 03)
- RE: nmap sending encapsulated packets Mike Lude (Apr 03)
- Re: nmap sending encapsulated packets David Fifield (Apr 02)
- Re: nmap sending encapsulated packets Kris Katterjohn (Apr 02)