Nmap Development mailing list archives
Re: [NSE] qscan first read timeout value too short?
From: David Fifield <david () bamsoftware com>
Date: Mon, 23 Aug 2010 23:04:46 -0600
On Fri, Aug 20, 2010 at 10:11:13PM +0100, jah wrote:
On 19/08/2010 15:27, Luis MartinGarcia. wrote:On 08/07/2010 12:52 AM, David Fifield wrote:Do you think it's related to this recent message? Nsock has trouble handling pcap reads on Windows http://seclists.org/nmap-dev/2010/q3/232 Luis found that pcap reads on Windows were not being polled often enough. His patch was applied in r19487, so you should have the fix already. Luis, you mentioned to me that you confirmed the bug existed with NSE also. Can you reproduce this behavior with qscan?Sorry for my late reply. I didn't read your message until now. I did confirm that the bug also affected NSE but I had to cheat a bit in order to obtain clear results. A quick explanation is at the end of this email [1]. About Qscan, I can't try to reproduce it right now, but I don't think is related. The bug I traced did not cause packet loss, it just caused a delay on its detection. This is a long shot but I think what we are dealing with here is that the script sends a probe, but pcap is not ready by the time we receive the first reply. Also, after a very quick look to the script I see that qscan.nse performs certain operations in a different order than ipidseq.nse. Jah, would you try the patch I attach? Sorry if the patch looks absurd, but my experience with NSE is close to zero.You are correct about the lost response being unrelated to your changes, I've reproduced this issue on builds from revisions prior to yours (which was r19487). I've tried your patch (which moves the call to pcap_register after sending the probe). It made no difference to the result as you can see from the output below. It did however throw-up something potentially interesting (which I haven't looked into yet).
I've been looking into this. I can reproduce it on Windows XP. What I've found so far is that l_nsock_ncap_register always starts a read event as soon as you call nmap.pcap_register--whether you've done an nmap.pcap_receive yet or not. int l_nsock_ncap_register(lua_State * L) { ... /* always create new event. */ nr->nseid = nsock_pcap_read_packet(nsp, udata->nsiod, l_nsock_pcap_receive_handler, udata->timeout, nr); ... } Thus it's very possible for this read event to time out before a probe is even sent. Naturally this isn't how anyone expects it to work, and it seems to work fine on Linux. Maybe there is some special conditional Windows code at work. I'll look into it more. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] qscan first read timeout value too short? jah (Aug 06)
- Re: [NSE] qscan first read timeout value too short? David Fifield (Aug 06)
- Re: [NSE] qscan first read timeout value too short? jah (Aug 06)
- Re: [NSE] pcap first read times out with sub second read timeouts jah (Aug 19)
- Re: [NSE] qscan first read timeout value too short? Luis MartinGarcia. (Aug 19)
- Re: [NSE] qscan first read timeout value too short? jah (Aug 20)
- Re: [NSE] qscan first read timeout value too short? David Fifield (Aug 23)
- Re: [NSE] qscan first read timeout value too short? jah (Aug 24)
- Re: [NSE] qscan first read timeout value too short? David Fifield (Aug 25)
- Re: [NSE] qscan first read timeout value too short? David Fifield (Aug 25)
- Re: [NSE] qscan first read timeout value too short? David Fifield (Aug 06)