Nmap Development mailing list archives

Re: [RFC] path-mtu.nse, host.interface_mtu, etc.

From: Kris Katterjohn <katterjohn () gmail com>
Date: Mon, 23 Aug 2010 20:51:51 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/23/2010 11:37 AM, David Fifield wrote:

On Wed, Aug 04, 2010 at 08:05:00PM -0500, Kris Katterjohn wrote:

The script isn't working for me with SYN probes. I'm not sure what's
wrong but tcpdump doesn't show any replies.

Thanks for testing.

I get replies and the script behaves correctly when I use scanme.  Did you
happen to test against any other host, on a LAN or out on the internet?  What
about using UDP?

Similar packets sent by Nping get a response.

# nping --tcp -p 22 64.13.134.52 --df
16:32:38.135869 IP (tos 0x0, ttl 64, id 33435, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.0.21.57093 > 64.13.134.52.22: Flags [S], cksum 0x78f4 (correct), seq 2445687109, win 1480, length 0
16:32:38.202608 IP (tos 0x0, ttl 53, id 0, offset 0, flags [DF], proto TCP (6), length 44)
    64.13.134.52.22 > 192.168.0.21.57093: Flags [S.], cksum 0x4e5e (correct), seq 33882044, ack 2445687110, win 
5840, options [mss 1460], length 0
16:32:38.202700 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.0.21.57093 > 64.13.134.52.22: Flags [R], cksum 0x7eb9 (correct), seq 2445687110, win 0, length 0


Does Nping still work when you add a bunch of data to the mix?

Using "nping -c 1 --tcp --df -p 22 --data-length 1460 64.13.134.52":

SENT (0.0220s) TCP 192.168.10.6:5116 > 64.13.134.52:22 S ttl=64 id=45459
iplen=1500  seq=3298795002 win=1480
RCVD (0.0250s) ICMP w.x.y.z > 192.168.10.6 Fragmentation required
(type=3/code=4) ttl=29 id=3655 iplen=56


You're right. Nping with a non-zero amount of data doesn't work for me
either. I think it's my home router blocking the packets. I verified
that they aren't making it to the destination.

# ./nping --echo-client public --tcp -p 80 --df -c 2 echo.nmap.org

Starting Nping 0.5.35DC18 ( http://nmap.org/nping ) at 2010-08-23 10:31 MDT
SENT (1.1220s) TCP 192.168.0.21:21151 > 178.79.132.93:80 S ttl=64 id=48781 iplen=40  seq=2942041858 win=1480
CAPT (1.2070s) TCP 206.81.65.18:21151 > 178.79.132.93:80 S ttl=49 id=48781 iplen=40  seq=2942041858 win=1480
RCVD (1.2760s) TCP 178.79.132.93:80 > 192.168.0.21:21151 RA ttl=48 id=0 iplen=40  seq=0 win=0
SENT (2.1240s) TCP 192.168.0.21:21151 > 178.79.132.93:80 S ttl=64 id=48781 iplen=40  seq=2942041858 win=1480
CAPT (2.2015s) TCP 206.81.65.18:21151 > 178.79.132.93:80 S ttl=49 id=48781 iplen=40  seq=2942041858 win=1480
RCVD (2.2780s) TCP 178.79.132.93:80 > 192.168.0.21:21151 RA ttl=48 id=0 iplen=40  seq=0 win=0

# ./nping --echo-client public --tcp -p 80 --df -c 2 echo.nmap.org --data-length 10

Starting Nping 0.5.35DC18 ( http://nmap.org/nping ) at 2010-08-23 10:31 MDT
SENT (1.0880s) TCP 192.168.0.21:15766 > 178.79.132.93:80 S ttl=64 id=42908 iplen=50  seq=618787634 win=1480
SENT (2.0900s) TCP 192.168.0.21:15766 > 178.79.132.93:80 S ttl=64 id=42908 iplen=50  seq=618787634 win=1480

I don't get replies when running directly against my router either, but
it works against another computer on the LAN. It also works if I scan
from a Linode instead of from home. It also works when running against
the router with UDP. I think the stateful firewall is filtering out SYN
containing data.

So it looks like the error is due to my environment. Please go ahead and
commit the changes.


Great, thanks for going through the tests.  I've committed this as r19935.

David Fifield


Cheers,
Kris Katterjohn

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJMcyW2AAoJEEQxgFs5kUfupmIP/j2hbLTz/R/2u3zsDnHStBhu
AYfxE8APG5dUStox9I9pb8TYbj2FXYsHxcR1oyh+pcbQXbCAWWyXatG4OivjmHgu
Nfw/ObXzugfIVT4a01EyloBBj/ME3nqjXDwiMPw7i+zeNlJpPRt8UYONhC4yxV5o
kCGH/ATf038+K5Ki5i1TXkV1mls2Ci3z/eV3rsnwnsYKR1uNFN+c9Vvvf6WLc/uP
WJgmEYPnREGdMIjke3chuqGx4keY29jfuezX+q2de3b1qhLEYKcTE44iE4A5xIlx
1CwyGSBgD+XL1PKuH7T41W1QMCckCam2DkJ+6dEb/tPdkAy7zVk+NGvNgQy6LmB7
AvOyFoLz9VvrVlBR5DrFmQOX9PEa60zgSz+rmu301Oeh+ETG2PVG991ghwRVo9d8
VWyZcIb0C7yKhNjIesZm8K/DkICbAdN3b4lYfkQQYV734uMR/m0ECblmetJZ0clC
9YEwFY9uhuc9GJXCDjxtNFZ18qs4nwtMMPv7XjSAoWuGlUw+twfMbMN1Cv9FZjRf
rGrBpI01UwGb+eZTBTWnN4TGoyA3oYsnbTXN3TtM8PEh3cv3Cul+u7m3G9qdq1d5
jEFJQ33beB/UJzSg4btVaf4djg6yqKf3xntw0xRTUprYqcw1v1mSR0NKj3ySy/YH
ns24SzeWv+uM7hMZfpFl
=Nmaz
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[RFC] path-mtu.nse, host.interface_mtu, etc. Kris Katterjohn (Aug 02)
- Re: [RFC] path-mtu.nse, host.interface_mtu, etc. David Fifield (Aug 04)
  - Re: [RFC] path-mtu.nse, host.interface_mtu, etc. Kris Katterjohn (Aug 04)
    - Re: [RFC] path-mtu.nse, host.interface_mtu, etc. Kris Katterjohn (Aug 21)
    - Re: [RFC] path-mtu.nse, host.interface_mtu, etc. David Fifield (Aug 23)
    - Re: [RFC] path-mtu.nse, host.interface_mtu, etc. Kris Katterjohn (Aug 23)