Re: 'nmap -S <src_addr>' does not use 'iproute2' alternate routing table

[David Fifield <david () bamsoftware com>]

On Mon, Sep 10, 2012 at 04:16:33PM -0400, starlight.2012q3 () binnacle cx wrote:
> At 01:10 PM 9/10/2012 -0700, David Fifield wrote:
> > On Mon, Sep 10, 2012 at 01:08:30PM -0700, David Fifield wrote:
> >
> > Please also show us "nmap -e eth4 -S 172.29.87.84 --route-dst <target>".
>
>
> # nmap -e eth4 -S 172.29.87.84 --route-dst nvd.nist.gov
> 129.6.13.97
> eth4 eth4 srcaddr 172.29.79.1 nexthop 172.29.79.2
> WARNING: If -S is being used to fake your source address, you may also have to u
> se -e <interface> and -Pn .  If you are using it to specify your real source add
> ress, you can ignore this warning.

So this looks like Nmap itself is doing as you expected, using the
"source-route default of 172.29.86.1 via 'eth4'".

But you say that tcpdump has it using 172.29.79.2 via eth5? This may be
some strange interaction between Nmap's use of raw sockets and the
kernel. Perhaps the raw sockets are bypassing the routing rules?

What does tcpdump say when you try to scan with the --send-eth option?
Do the packets appear to come from eth4 or eth5?

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/