Re: [PATCH] scan_engine.cc get_(ping_)?pcap_result() goodseq cleanup

[David Fifield <david () bamsoftware com>]

Hi,

This is in response to http://seclists.org/nmap-dev/2009/q1/414. In that
thread, Daniel Roethlisberger made a patch that slightly changed how TCP
probes were matched in some cases. I tested the change and found that it
negatively affected accuracy, but I recently realized that I made a
mistake in testing. Corrected tests show that it doesn't affect
accuracy. Daniel, accept my apology.

I realized this when I made the same mistake in a recent test while
working on better probe matching to distibuish responses to SYN and ACK
probes. The erroneous results are here:

http://www.bamsoftware.com/wiki/Nmap/PerformanceNotes#token-2009-10-10

The mistake I made is that I configured one of the test nmaps with a
prefix of /usr/local, but didn't install it there. I have my usual
installation in /usr. When it looked for its nmap-services file in
/usr/local/share/nmap, it didn't find it, and fell back to /etc/services
instead. Thus it was using a completely different set of ports, and I
think that accounts for all of the difference I saw.

I have redone Daniel's patch in my nmap-token branch, which I think will
be merged shortly.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/