Re: MacOS X 10.6.4 - pcap reception via NSE not working?

[Kris Katterjohn <katterjohn () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/19/2010 08:02 PM, David Fifield wrote:
> I spent most of today looking into this. It appears to be another change
> in OS X BPF.
>
> http://sourceforge.net/tracker/?func=detail&aid=2902860&group_id=53067&atid=469577
>
> I can reproduce it with NSE and Nping. The common element is Nsock's
> pcap capture. What's happening is that packets are being captured in
> non-blocking mode, but they are not being flushed to user space until a
> lot of them have been buffered in the kernel. I attached a test program
> that illustrates this. If you run it as it is, it will not print out any
> captures until you create a lot of traffic. If you comment out the call
> to pcap_setnonblock, you will see captures right away.
>
> The reason that port scans still work is that scan_engine.cc doesn't
> call pcap_setnonblock, instead using a short timeout on platforms where
> pcap descriptors are not selectable.
>
> I found that removing pcap_set_nonblock and reducing the timeout in
> Nsock makes NSE and Nping work. Another option is to set the
> BIOCIMMEDIATE ioctl as described in the linked page. I'll look more into
> it.

Doug was suggesting using BIOCIMMEDIATE before (early 2007), but for a
different reason[1].  I had made some replies to his post, but I don't think
it was brought up again.

Perhaps using this is the way to go since not using it could cause problems in
the future: maybe other systems will behave differently as Guy Harris
describes they're supposed to be doing.  And with luck maybe we can still get
a performance boost like Doug described.

> David Fifield

Cheers,
Kris Katterjohn

[1] http://seclists.org/nmap-dev/2007/q1/174

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJMbeJ9AAoJEEQxgFs5kUfupGsP/3jYbkaMktSjyClNyLLTsmze
oelZWYr+CV3Ezzbuihzizkjpg0UHa8e1FFmHFuvbGPJOlcsaRKxeOBSUQQYMkHg4
rj96el1g+zYn/38Ia+qrYra603VVPFgtVstxvAeVAPMmpD94jJfdl0qnEcmywvaw
C5Keoo9plU/l+6rGGzM/6p/7uDCI3S5e7wK+tnUODmLany5Nd1CdiNsTHlC7JiZW
Nn61DOUpdOd3FcE/WNMUx75LKq7T3N14PtNy8tGckhONf6gIoBDsH8Jm7LRp4f2u
KPTqr+PSQI0N820AeJersMMSLycaWe3weu+jGI1g7hFrzC35TvaiT3Mz+FIPXcpo
Y1qeibVWTRrkLNEY6b9aF7QHim+3RvBncq4OY0277YjC6tbk+TBK1u3WZu7uMbCD
UVGHHTh0CybVNM4ErH08wBU0u0UYOzuxJ9j+MwV98YKDe4naPcnQvKJ58snztN8M
Q27dl/VrNkMajtbiLqUBRV9MahtQfrXBdyDu7ErMOw1xzaSWFogRY5IcK71Rh4IK
sKMHfcR2Cg4Nuntq82QVetOyu7R61uc6yGI2Z5aVXgMbre6hsLLnYzfhQvkjwgC2
OQH1Oj3QsxuntH2wwFRAGqJPZz08SWLwzq0WPqHCP/j/IEEvvkfi3Ya1iqpJ8xB7
yUo8kMiO/nkrSxS0iBuk
=ZvWU
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/