Re: Patch: better selection of traceroute probes

[David Fifield <david () bamsoftware com>]

On Fri, Sep 05, 2008 at 06:09:48PM -0600, David Fifield wrote:
> In http://seclists.org/nmap-dev/2008/q3/0539.html I observed that Nmap's
> traceroute doesn't work like it should for ping scans. Instead of using
> the ping probe that got a response as the traceroute probe, it just
> picks an arbitrary one of the ping probes that were used.
>
> I attached a patch to fix this. It makes traceroute use whatever probe
> was used as a timing ping during host discovery and port scanning. The
> timing probe promotes itself: whenever a response is received to a
> "better" probe than the current timing probe, the better probe becomes
> the new timing probe. So the timing probe is the best probe Nmap knows
> of to reach a given target. The caching and promotion of timing probes
> is summarized at http://seclists.org/nmap-dev/2008/q3/0647.html.
>
> I decided to use the cached timing probe for all traceroute types, not
> just ping scans. That's why I'm posting the patch to the list, because
> it's a bigger change than it would have been and I think it deserves a
> little testing. A bonus is that this change allows the elimination of a
> lot code from traceroute.cc. Now the complexity of port selection is
> isolated in scan_engine.cc.

I committed the patch. With the release impending it needs a few days to
settle in the repository. Plus it's more of a bug fix than a new
feature. I still ask that you give it a try. Run a traceroute with
many types of ping scans and port scans. I wasn't able to find a machine
that responded to IP protocol probes other than ICMP, TCP, and UDP
(that's not on my local LAN), so if you could test that or send me the
address of a responsive machine I would appreciate it.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org