Nmap Development mailing list archives
Re: Off by one in ICMP distance calculation?
From: "Luis MartinGarcia." <luis.mgarc () gmail com>
Date: Fri, 30 Sep 2011 12:00:05 +0200
On 09/15/2011 06:48 PM, David Fifield wrote:
During OS detection, we calculate distance by subtracting the encapsulated TTL in an ICMP error reply from the TTL we set originally when sending the probe: /* Count hop count */ if (hss->distance == -1) { hss->distance = this->udpttl - ip2->ip_ttl; } I think this is off by one: it reports one less than the actual distance. I added this debugging line: log_write(LOG_PLAIN, "TTL distance: %d - %d == %d\n", this->udpttl, ip2->ip_ttl, this->udpttl - ip2->ip_ttl); and I tried running with traceroute. Here's a remote host: TTL distance: 56 - 46 == 10 Network Distance: 11 hops TRACEROUTE (using port 53/tcp) HOP RTT ADDRESS 1 6.11 ms 192.168.0.1 ... 9 29.23 ms 10gigabitethernet1-1.core1.fmt1.he.net (72.52.92.109) 10 14.23 ms linode-llc.10gigabitethernet2-3.core1.fmt1.he.net (64.62.250.6) 11 17.00 ms li86-221.members.linode.com (74.207.244.221) and here's a directly connected host: TTL distance: 61 - 61 == 0 Network Distance: 1 hop TRACEROUTE HOP RTT ADDRESS 1 0.23 ms 192.168.0.3 Directly connected hosts are already treated as a special case and set to distance 1, so you would only notice the discrepancy against multiple-hop hosts. Does anyone else agree that this is off by one?
Hi! In my opinion it depends on the definition of network distance. If we only mean the number of intermediate devices between the sender and the receiver, then the SENT_TTL - RECV_TTL throws the correct value. However, I don't think the distance should be defined like that. In real-world when someone asks how far is some tube station and I tell them it's three stops away, that means you get the tube in station A, you pass B and C until you get to D. In network communications B and C would be routers and the TTL would be decremented only twice, not three times. Therefore: A[TTL 255] --> B [TTL 254] --> C [TTL 253] --> D :: Distance=255-253=2? Wrong, It should be 3. So yeah, I agree that its and off by one bug. Plus, if we do {distance=SENT_TTL - RCVD_TTL + 1} then the directly connected is not a special case and can be reliably distinguished from the scenario where there is one router in the middle. Just my two cents. Regards, Luis. _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Off by one in ICMP distance calculation? David Fifield (Sep 15)
- Re: Off by one in ICMP distance calculation? Luis MartinGarcia. (Sep 30)
- Re: Off by one in ICMP distance calculation? David Fifield (Sep 30)
- Re: Off by one in ICMP distance calculation? Luis MartinGarcia. (Sep 30)