Re: IE.DLI OS detection test

[ithilgore <ithilgore.ryu.l () gmail com>]

Brandon Enright wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Thu, 12 Mar 2009 15:33:36 -0600
> David Fifield <david () bamsoftware com> wrote:
>
> > Hi,
> >
> > Fyodor noticed that every single reference fingerprint in nmap-os-db
> > that had a result of the IE.DLI test had the value S. Documentation
> > for that test is here:
> >
> > http://nmap.org/book/osdetect-methods.html#osdetect-dl
> >
> > The test measures the length of data returned in the replies to the
> > two ICMP echo probes. The documentation says that some implementations
> > truncate the data, but that is not supported by the database. I did a
> > test:
> >
> > hping2 --rand-dest --icmp -d 120 --fast --interface eth0 x.x.x.x
> >
> > and let it run for a while. There were 37461 packets transmitted and
> > 1520 packets received. Of those 1520, 1394 were echo replies. All of
> > them had len=148, corresponding to an ICMP data length of 120.
> >
> > I recommend we just remove the test.
> >
> > David Fifield
>
> Perhaps we just aren't sending enough data?  I don't know if we can
> change the probe or add another one but what happens when we send, say,
> 400 bytes of data?
>
> Brandon

I checked with values of 400 and 1000 and results were the same. According to
RFC 1122, data received in ICMP echo requests MUST be included in the reply,
so I guess nearly all systems go by the book in that regard.
Though I guess people should first do some more tests before completely removing the probe,
just to be certain.

- ithilgore



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org