Nmap Development mailing list archives
Re: nmap returns "Host <ip_address> appears to be up" instead of "Host <hostname> appears to be up" for some of the nodes
From: Guang Cheng Li <liguangc () cn ibm com>
Date: Fri, 13 Nov 2009 12:57:50 +0800
I use hostname everywhere in my scripts and in our product, so it will be difficult for us to change to use ip address unless we resolve the hostnames to ip addresses before passing to nmap, hostname resolution will bring in performance degradation, I hesitate to do this. All the host names could get through the system resolver, if I add the flag "--system-dns" to nmap, then all the hostnames will be returned from nmap. From this point view, I am suspecting this may be a nmap bug. I noticed a special configuration in my cluster, this may be causing problem, we use two nameservers in /etc/resolv.conf, one is for private subnet and one is for public subnet, the private subnet name server will be checked first because it is the first nameserver in /etc/resolv.conf, I turned on the nmap -d9, seems the nmap is sending the DNS resolver to the public subnet name server. c906mgrs2:/opt/xcat/bin # cat /etc/resolv.conf | grep nameserver nameserver 10.0.0.242 ==========> private subnet nameserver nameserver 9.114.8.1 =========> public subnet nameserver c906mgrs2:/opt/xcat/bin # c906mgrs2:/opt/xcat/bin # nslookup c906f06c01p05 =============> system resolver works Server: 10.0.0.242 Address: 10.0.0.242#53 Name: c906f06c01p05.cluster.com Address: 10.6.1.5 c906mgrs2:/opt/xcat/bin # ping c906f06c01p05 PING c906f06c01p05 (10.6.1.5) 56(84) bytes of data. 64 bytes from c906f06c01p05 (10.6.1.5): icmp_seq=1 ttl=64 time=0.112 ms ^C --- c906f06c01p05 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.112/0.112/0.112/0.000 ms c906mgrs2:/opt/xcat/bin # c906mgrs2:/opt/xcat/bin # nmap -PE -d9 --send-ip -sP c906f06c01p05 Starting Nmap 4.75 ( http://nmap.org ) at 2009-11-12 23:45 EST Fetchfile found /usr/share/nmap/nmap-services PORTS: Using top 1000 ports found open (TCP:0, UDP:0) The max # of sockets we are using is: 0 --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 max-scan-delay: TCP 1000, UDP 1000 parallelism: min 0, max 0 max-retries: 10, host-timeout: 0 min-rate: 0, max-rate: 0 --------------------------------------------- Initiating Ping Scan at 23:45 Scanning 10.6.1.5 [1 port] Pcap filter: dst host 10.0.0.242 and (icmp or ((tcp or udp) and (src host 10.6.1.5))) Packet capture filter (device eth1): dst host 10.0.0.242 and (icmp or ((tcp or udp) and (src host 10.6.1.5))) SENT (0.1550s) ICMP 10.0.0.242 > 10.6.1.5 echo request (type=8/code=0) ttl=59 id=38149 iplen=28 **TIMING STATS** (0.1550s): IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, cwnd/ccthresh/delay, timeout/srtt/rttvar/ Groupstats (1/1 incomplete): 1/*/*/*/*/* 10.00/75/* 1000000/-1/-1 10.6.1.5: 1/0/0/1/0/0 10.00/75/0 1000000/-1/-1 Current sending rates: 15.34 packets / s, 429.57 bytes / s. Overall sending rates: 15.34 packets / s, 429.57 bytes / s. RCVD (0.1550s) ICMP 10.6.1.5 > 10.0.0.242 echo reply (type=0/code=0) ttl=64 id=61717 iplen=28 Found 10.6.1.5 in incomplete hosts list. We got a ping packet back from 10.6.1.5: id = 45799 seq = 0 checksum = 19736 ultrascan_host_probe_update called for machine 10.6.1.5 state UNKNOWN -> HOST_UP (trynum 0 time: 212) Timeout vals: srtt: -1 rttvar: -1 to: 1000000 delta 124 ==> srtt: 124 rttvar: 5000 to: 100000 Timeout vals: srtt: -1 rttvar: -1 to: 1000000 delta 124 ==> srtt: 124 rttvar: 5000 to: 100000 Changing ping technique for 10.6.1.5 to icmp type 8 code 0 Moving 10.6.1.5 to completed hosts list with 0 outstanding probes. Completed Ping Scan at 23:45, 0.07s elapsed (1 total hosts) Overall sending rates: 15.31 packets / s, 428.57 bytes / s. pcap stats: 1 packets received by filter, 0 dropped by kernel. mass_rdns: Using DNS server 10.0.0.242 mass_rdns: Using DNS server 9.114.8.1 NSOCK (0.2620s) msevent_new (IOD #1) (EID #8) NSOCK (0.2620s) UDP connection requested to 9.114.8.1:53 (IOD #1) EID 8 NSOCK (0.2620s) msevent_new (IOD #1) (EID #18) NSOCK (0.2620s) Read request from IOD #1 [9.114.8.1:53] (timeout: -1ms) EID 18 NSOCK (0.2630s) msevent_new (IOD #2) (EID #24) NSOCK (0.2630s) UDP connection requested to 10.0.0.242:53 (IOD #2) EID 24 NSOCK (0.2630s) msevent_new (IOD #2) (EID #34) NSOCK (0.2630s) Read request from IOD #2 [10.0.0.242:53] (timeout: -1ms) EID 34 Initiating Parallel DNS resolution of 1 host. at 23:45 mass_rdns: TRANSMITTING for <10.6.1.5> (server <9.114.8.1>) ====================> Wrong name server is selected. NSOCK (0.2630s) msevent_new (IOD #1) (EID #43) NSOCK (0.2630s) Write request for 39 bytes to IOD #1 EID 43 [9.114.8.1:53]: .............5.1.6.10.in-addr.arpa..... NSOCK (0.2630s) nsock_loop() started (timeout=500ms). 5 events pending NSOCK (0.2630s) wait_for_events NSOCK (0.2630s) Callback: CONNECT SUCCESS for EID 24 [10.0.0.242:53] NSOCK (0.2630s) msevent_delete (IOD #2) (EID #24) NSOCK (0.2630s) Callback: CONNECT SUCCESS for EID 8 [9.114.8.1:53] NSOCK (0.2630s) msevent_delete (IOD #1) (EID #8) NSOCK (0.2630s) Callback: WRITE SUCCESS for EID 43 [9.114.8.1:53] NSOCK (0.2630s) msevent_delete (IOD #1) (EID #43) NSOCK (0.2630s) wait_for_events NSOCK (0.2630s) Callback: READ SUCCESS for EID 18 [9.114.8.1:53] (116 bytes) NSOCK (0.2630s) msevent_new (IOD #1) (EID #50) NSOCK (0.2630s) Read request from IOD #1 [9.114.8.1:53] (timeout: -1ms) EID 50 CAPACITY <9.114.8.1> = 12 NSOCK (0.2630s) msevent_delete (IOD #1) (EID #50) NSOCK (0.2630s) msevent_delete (IOD #2) (EID #34) mass_rdns: NXDOMAIN <id = 37127> mass_rdns: 0.02s 0/1 [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1] NSOCK (0.2630s) msevent_delete (IOD #1) (EID #18) Completed Parallel DNS resolution of 1 host. at 23:45, 0.00s elapsed DNS resolution of 1 IPs took 0.02s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] Fetchfile found /usr/share/nmap/nmap-mac-prefixes Host 10.6.1.5 appears to be up, received echo-reply. =======================> ip address is returned MAC Address: 00:1A:64:FC:0A:37 (IBM) Read from /usr/share/nmap: nmap-mac-prefixes nmap-services. Nmap done: 1 IP address (1 host up) scanned in 0.46 seconds Raw packets sent: 1 (28B) | Rcvd: 1 (28B) c906mgrs2:/opt/xcat/bin # Thanks, ------------------------------------------------------------------------- Li,Guang Cheng (李光成) IBM China Software Development Laboratory David Fifield <david@bamsoftwar e.com> To Guang Cheng Li/China/IBM@IBMCN 2009-11-13 11:24 cc nmap-dev () insecure org Subject Re: nmap returns "Host <ip_address> appears to be up" instead of "Host <hostname> appears to be up" for some of the nodes On Fri, Nov 13, 2009 at 09:27:59AM +0800, Guang Cheng Li wrote:
HI David, Thank you for your reponse. The -oX and -oG does change the output format to make it easier for the output parsing, but the "hostname" information is still not available for some nodes. I can update my script to check both the ip address and the hostname, but I have to call lot of hostname resolution system calls to resolve the hostnames/ip addresses, the performance degradation might be
a
problem for me because I can have at most 64,000 nodes in my cluster.
Even if you're using the normal output, you don't have to look up the hostnames when they are present. The IP address is always there too, in parentheses. If the hostname is not present, it means that reverse DNS for that address failed. If there is a host whose name you can get through your system resolver but not with Nmap, then it is likely a bug and we would like to have more information about it.
Actually we are using /etc/hosts to resolve the host names because the
DNS
itself also has some kind of scaling issues, though the DNS hostname resolution also works in the cluster. Do you think the flag
"--system-dns"
will be a better choice for us because we are using /etc/hosts for
hostname
resolution? The experiment also shows that the "--system-dns" runs faster in my environment, is there any other side effects by specifying the "--system-dns" flag?
Nmap's parallel DNS resolver also looks in /etc/hosts, so if all the hosts are in there it shouldn't have an effect. You will have to test yourself to see which is faster. David Fifield
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- nmap returns "Host <ip_address> appears to be up" instead of "Host <hostname> appears to be up" for some of the nodes Guang Cheng Li (Nov 12)
- Re: nmap returns "Host <ip_address> appears to be up" instead of "Host <hostname> appears to be up" for some of the nodes David Fifield (Nov 12)
- Re: nmap returns "Host <ip_address> appears to be up" instead of "Host <hostname> appears to be up" for some of the nodes Rob Nicholls (Nov 12)
- Re: nmap returns "Host <ip_address> appears to be up" instead of "Host <hostname> appears to be up" for some of the nodes Guang Cheng Li (Nov 12)
- Re: nmap returns "Host <ip_address> appears to be up" instead of "Host <hostname> appears to be up" for some of the nodes David Fifield (Nov 12)
- Re: nmap returns "Host <ip_address> appears to be up" instead of "Host <hostname> appears to be up" for some of the nodes Guang Cheng Li (Nov 12)
- Re: nmap returns "Host <ip_address> appears to be up" instead of "Host <hostname> appears to be up" for some of the nodes David Fifield (Nov 12)