Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Bug / Weird behaviour with arping

From: A Brodskiy <abrods01 () gmail com>
Date: Wed, 10 Aug 2011 18:03:27 -0400
It seems the behaviour of nmap when it performs and arp discovery is
weird,and different from the way Ip stacks do it.

For target MAC address  it puts in ff:ff:ff:ff:ff:ff the same as destination
MAC address of the Ethernet packet itself. However, for discovery unless the
arp request is gratuitous , the Target MAC address is set to
00:00:00:00:00:00.

This behaviour allows people to trivially discover "fingerprint" nmap scans
on their network.

here is some Wireshark code:

arp.dst.hw_mac==ff:ff:ff:ff:ff:ff and arp.isgratuitous==false

Thank you, Alex.
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: