Nmap Development mailing list archives
Re: MacOS X 10.6.4 - pcap reception via NSE not working?
From: Kris Katterjohn <katterjohn () gmail com>
Date: Thu, 19 Aug 2010 21:03:42 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/19/2010 08:02 PM, David Fifield wrote:
I spent most of today looking into this. It appears to be another change in OS X BPF. http://sourceforge.net/tracker/?func=detail&aid=2902860&group_id=53067&atid=469577 I can reproduce it with NSE and Nping. The common element is Nsock's pcap capture. What's happening is that packets are being captured in non-blocking mode, but they are not being flushed to user space until a lot of them have been buffered in the kernel. I attached a test program that illustrates this. If you run it as it is, it will not print out any captures until you create a lot of traffic. If you comment out the call to pcap_setnonblock, you will see captures right away. The reason that port scans still work is that scan_engine.cc doesn't call pcap_setnonblock, instead using a short timeout on platforms where pcap descriptors are not selectable. I found that removing pcap_set_nonblock and reducing the timeout in Nsock makes NSE and Nping work. Another option is to set the BIOCIMMEDIATE ioctl as described in the linked page. I'll look more into it.
Doug was suggesting using BIOCIMMEDIATE before (early 2007), but for a different reason[1]. I had made some replies to his post, but I don't think it was brought up again. Perhaps using this is the way to go since not using it could cause problems in the future: maybe other systems will behave differently as Guy Harris describes they're supposed to be doing. And with luck maybe we can still get a performance boost like Doug described.
David Fifield
Cheers, Kris Katterjohn [1] http://seclists.org/nmap-dev/2007/q1/174 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJMbeJ9AAoJEEQxgFs5kUfupGsP/3jYbkaMktSjyClNyLLTsmze oelZWYr+CV3Ezzbuihzizkjpg0UHa8e1FFmHFuvbGPJOlcsaRKxeOBSUQQYMkHg4 rj96el1g+zYn/38Ia+qrYra603VVPFgtVstxvAeVAPMmpD94jJfdl0qnEcmywvaw C5Keoo9plU/l+6rGGzM/6p/7uDCI3S5e7wK+tnUODmLany5Nd1CdiNsTHlC7JiZW Nn61DOUpdOd3FcE/WNMUx75LKq7T3N14PtNy8tGckhONf6gIoBDsH8Jm7LRp4f2u KPTqr+PSQI0N820AeJersMMSLycaWe3weu+jGI1g7hFrzC35TvaiT3Mz+FIPXcpo Y1qeibVWTRrkLNEY6b9aF7QHim+3RvBncq4OY0277YjC6tbk+TBK1u3WZu7uMbCD UVGHHTh0CybVNM4ErH08wBU0u0UYOzuxJ9j+MwV98YKDe4naPcnQvKJ58snztN8M Q27dl/VrNkMajtbiLqUBRV9MahtQfrXBdyDu7ErMOw1xzaSWFogRY5IcK71Rh4IK sKMHfcR2Cg4Nuntq82QVetOyu7R61uc6yGI2Z5aVXgMbre6hsLLnYzfhQvkjwgC2 OQH1Oj3QsxuntH2wwFRAGqJPZz08SWLwzq0WPqHCP/j/IEEvvkfi3Ya1iqpJ8xB7 yUo8kMiO/nkrSxS0iBuk =ZvWU -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- MacOS X 10.6.4 - pcap reception via NSE not working? Jean Mousinho (Jul 30)
- Re: MacOS X 10.6.4 - pcap reception via NSE not working? Patrik Karlsson (Aug 15)
- Re: MacOS X 10.6.4 - pcap reception via NSE not working? David Fifield (Aug 19)
- Re: MacOS X 10.6.4 - pcap reception via NSE not working? Kris Katterjohn (Aug 19)
- Re: MacOS X 10.6.4 - pcap reception via NSE not working? David Fifield (Aug 19)
- Re: MacOS X 10.6.4 - pcap reception via NSE not working? Patrik Karlsson (Aug 20)
- Re: MacOS X 10.6.4 - pcap reception via NSE not working? David Fifield (Aug 20)
- Re: MacOS X 10.6.4 - pcap reception via NSE not working? Patrik Karlsson (Aug 20)
- Re: MacOS X 10.6.4 - pcap reception via NSE not working? Patrik Karlsson (Aug 20)
- Re: MacOS X 10.6.4 - pcap reception via NSE not working? David Fifield (Aug 21)
- Re: MacOS X 10.6.4 - pcap reception via NSE not working? David Fifield (Aug 19)
- Re: MacOS X 10.6.4 - pcap reception via NSE not working? Patrik Karlsson (Aug 15)