Nmap Development mailing list archives
Re: Bug / Weird behaviour with arping
From: A Brodskiy <abrods01 () gmail com>
Date: Wed, 10 Aug 2011 18:22:39 -0400
I meant that Target MAC address SHOULD be set to 00:00:00:00:00:00, that's how all other IP stacks work (Linux, win) nmap version 5.51 Alex On Wed, Aug 10, 2011 at 6:03 PM, A Brodskiy <abrods01 () gmail com> wrote:
It seems the behaviour of nmap when it performs and arp discovery is weird,and different from the way Ip stacks do it. For target MAC address it puts in ff:ff:ff:ff:ff:ff the same as destination MAC address of the Ethernet packet itself. However, for discovery unless the arp request is gratuitous , the Target MAC address is set to 00:00:00:00:00:00. This behaviour allows people to trivially discover "fingerprint" nmap scans on their network. here is some Wireshark code: arp.dst.hw_mac==ff:ff:ff:ff:ff:ff and arp.isgratuitous==false Thank you, Alex.
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Bug / Weird behaviour with arping A Brodskiy (Aug 10)
- Re: Bug / Weird behaviour with arping A Brodskiy (Aug 10)