Nmap Development mailing list archives
Re: IE.DLI OS detection test
From: ithilgore <ithilgore.ryu.l () gmail com>
Date: Fri, 13 Mar 2009 02:44:20 +0200
Brandon Enright wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 12 Mar 2009 15:33:36 -0600 David Fifield <david () bamsoftware com> wrote:Hi, Fyodor noticed that every single reference fingerprint in nmap-os-db that had a result of the IE.DLI test had the value S. Documentation for that test is here: http://nmap.org/book/osdetect-methods.html#osdetect-dl The test measures the length of data returned in the replies to the two ICMP echo probes. The documentation says that some implementations truncate the data, but that is not supported by the database. I did a test: hping2 --rand-dest --icmp -d 120 --fast --interface eth0 x.x.x.x and let it run for a while. There were 37461 packets transmitted and 1520 packets received. Of those 1520, 1394 were echo replies. All of them had len=148, corresponding to an ICMP data length of 120. I recommend we just remove the test. David FifieldPerhaps we just aren't sending enough data? I don't know if we can change the probe or add another one but what happens when we send, say, 400 bytes of data? Brandon
I checked with values of 400 and 1000 and results were the same. According to RFC 1122, data received in ICMP echo requests MUST be included in the reply, so I guess nearly all systems go by the book in that regard. Though I guess people should first do some more tests before completely removing the probe, just to be certain. - ithilgore _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- IE.DLI OS detection test David Fifield (Mar 12)
- Re: IE.DLI OS detection test Brandon Enright (Mar 12)
- Re: IE.DLI OS detection test ithilgore (Mar 12)
- Other useless OS detection tests? David Fifield (Mar 12)
- RE: Other useless OS detection tests? Thomas Tavaris J (Tavaris) (Mar 13)
- Re: Other useless OS detection tests? Fyodor (Mar 13)
- Re: Other useless OS detection tests? David Fifield (Mar 27)
- RE: Other useless OS detection tests? Thomas Tavaris J (Tavaris) (Mar 13)
- Re: IE.DLI OS detection test Brandon Enright (Mar 12)