Nmap Development mailing list archives
Bug / Weird behaviour with arping
From: A Brodskiy <abrods01 () gmail com>
Date: Wed, 10 Aug 2011 18:03:27 -0400
It seems the behaviour of nmap when it performs and arp discovery is weird,and different from the way Ip stacks do it. For target MAC address it puts in ff:ff:ff:ff:ff:ff the same as destination MAC address of the Ethernet packet itself. However, for discovery unless the arp request is gratuitous , the Target MAC address is set to 00:00:00:00:00:00. This behaviour allows people to trivially discover "fingerprint" nmap scans on their network. here is some Wireshark code: arp.dst.hw_mac==ff:ff:ff:ff:ff:ff and arp.isgratuitous==false Thank you, Alex. _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Bug / Weird behaviour with arping A Brodskiy (Aug 10)
- Re: Bug / Weird behaviour with arping A Brodskiy (Aug 10)