Re: Bad IP-checksums

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, 26 Jul 2008 02:06:55 +0200
Gisle Vanem <gvanem () broadpark no> wrote:

> The following command
>   nmap -d2 -sV -p1-100 -O 10.0.0.7
>
> generates approx. IP 150 packets of which 8 contains bad
> checksums (sent from 10.0.0.6). Check the attached pcap-trace 
> and look at frame 290, 312, 314, 316, 344, 364, 366 and 368.
>
> Verified with "tshark -Vr wattcp.dbg | grep '[incorrect,'".
>
> All this is on WIn-XP with nmap v. 4.6. Anybody else who can
> verify this?
>
> --gv

Okay here is my speculation.

Looking at you pcap file, the _only_ probes with a bad checksum are the
UDP OS fingerprint probes (probe U1).

The UDP checksum is correct but the IP checksum is wrong.  The
documentation for the U1 probe says that the IPID is supposed to be set
to 0x1042 but yours are set to 0x4210.

When I test on a Linux box I get IP packets with the correct IPID
field.  When I test on Windows I get the endianness reversed like
yours.  I haven't looked at the code for this so I can't say if this is
a Windows bug or a Nmap bug.

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkiKbuwACgkQqaGPzAsl94JhXgCcD6jeVGN70Nfawb2BG+7XUQvj
nKIAoJDexUsi7OWFMcDr8ArByZdwwFqA
=RBQT
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org