Re: Nmap 5.61TEST2 IPv6 OS Detection (Cherry Soeprapto)

[David Fifield <david () bamsoftware com>]

On Mon, Jan 16, 2012 at 07:12:28AM -0800, Cherry Soeprapto wrote:
> > Those are all the candidate tests that were invented by Luis
> > MartinGarcia. Not all of them are effective--we kept only the best ones
> > in the OS engine.
>
> what are the reasons, that you keep only the 18 tests?
> What are the qualifications?

It's because every test takes time and packets. ipv6fp.py takes several
minutes to run, but Nmap can only take a few seconds at most. The best
tests are those that get different responses from different OSes. Many
of the ipv6fp.py tests turned out to never get a response or to always
get the same response.

> If I'd like to analyse the TCP responses from different OSs, is it correct that I should only compare the:
> payload length, hop limit, header length, window size and the TCP options?

Generally you should compare any feature that differs between operating
systems and isn't too expensive to trigger.

> Would it be possible for you to make a short detail about the scripts in ipv6tests folder?
>
> https://svn.nmap.org/nmap-exp/luis/ipv6tests/README
>
> The description to run the scripts above is not so understandable for me. 

I'm glad that someone is looking at those scripts. Email me off the list
with the error messages that you see and I'll try to help.

The scripts need a directory full of sample fingerprints to operate on.
But those aren't checked into the directory because we say we will keep
submissions private we get them.

> I have already run tests and will submit them to you in another email. Do you need only the .6fp or the .nmap files 
> too? 

We only want the .nmap files. But it is most convenient if you can
submit them here:
        http://insecure.org/cgi-bin/submit.cgi?new-os
and not by email.

David
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/