Nmap Development mailing list archives

Re: ip proto 0xff in syn pckts on ADSL connection

From: jfhorn <jfhorn () gmail com>
Date: Mon, 17 Nov 2008 16:54:16 -0500

David -

Thanks for the:

(a) complete description of the root cause and
(b) suggestion to the nmap-dev list for the generation of an appropriate warning

(Honestly, I didn't expect a lot of responses, seeing that almost
nobody seems to be using nmap+Windows+dial-up/non-Ethernet device.)

-J.

On Mon, Nov 17, 2008 at 3:21 PM, David Fifield <david () bamsoftware com> wrote:

On Tue, Nov 04, 2008 at 11:01:55AM -0500, jfhorn wrote:

I'm looking for some insight into an issue (a bug, possibly with nmap)
involving the most recent nmap (4.76), Windows (XP SP2), WinPcap
(4.02), and a modem/dial-up adapter.

PROBLEM: When attempting a TCP connect scan (-sT) to port 80 on
www.google.com over dial-up, the system emits packets correctly, *but*
when attempting to SYN scan (-sS) port 80 on www.google.com, the
system emits packets with the IP protocol type set to 0xFF.


This is another symptom of an underlying Windows deficiency discussed
here:

http://seclists.org/nmap-dev/2008/q4/0257.html

Windows doesn't support raw sockets. Nmap can work around this most of
the time by using an Ethernet interface directly, but that only works
for Ethernet devices. Scans requiring raw packets (including SYN scan)
won't work on a dial-up connection. The workaround is (as you've
discovered) to use -sT for a plain connect scan. To do more than that
requires an operating system with support for raw sockets.

There is a real problem here thouch, which is that Nmap doesn't print
enough information about the situation. If you try to use --send-ip on
Windows, you get the message

       WARNING: raw IP (rather than raw ethernet) packet sending
       attempted on Windows. This probably won't work.  Consider
       --send-eth next time.

It should print out something similar (without the --send-eth)
suggestion) when it doesn't find an Ethernet device to use.

David Fifield


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

ip proto 0xff in syn pckts on ADSL connection jfhorn (Nov 04)
- Re: ip proto 0xff in syn pckts on ADSL connection David Fifield (Nov 17)
  - Re: ip proto 0xff in syn pckts on ADSL connection jfhorn (Nov 17)
  - Re: ip proto 0xff in syn pckts on ADSL connection David Fifield (Nov 20)
    - Re: ip proto 0xff in syn pckts on ADSL connection David Fifield (Nov 24)