Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Nmap on OpenBSD

From: Kent Fritz <kfritz () wolfman devio us>
Date: Thu, 12 Jun 2014 00:40:14 -0400
I believe it's broken (and has been for some time).
http://marc.info/?t=140175047900002&r=1&w=2

See below for a more detailed trace.  You can see that the ARP is sent twice
and the timestamp on the RCVD is from the first ARP.  Similar result with
the SYN packets.  The tcpdump shows all packets being sent and received. So,
something is going fishy in the libpcap?

Does anyone have any ideas where to start looking?

This sample is from a KVM VM, but I get the  same results from real hardware
i386, amd64, and sparc64.

Thanks,

Kent.

# nmap -Pn -sS -p22,9000 -packet-trace -n 192.168.1.120 

Starting Nmap 6.46 ( http://nmap.org ) at 2014-06-11 19:25 PDT
SENT (0.0340s) ARP who-has 192.168.1.120 tell 192.168.1.131
SENT (0.2438s) ARP who-has 192.168.1.120 tell 192.168.1.131
RCVD (0.0343s) ARP reply 192.168.1.120 is-at DE:AD:BE:EF:00:15
SENT (0.2446s) TCP 192.168.1.131:62760 > 192.168.1.120:22 S ttl=57 id=36604 iplen=44  seq=2486294121 win=1024 <mss 1460>
SENT (0.2447s) TCP 192.168.1.131:62760 > 192.168.1.120:9000 S ttl=57 id=25741 iplen=44  seq=2486294121 win=1024 <mss 
1460>
SENT (1.3639s) TCP 192.168.1.131:62761 > 192.168.1.120:9000 S ttl=53 id=60872 iplen=44  seq=2486228584 win=1024 <mss 
1460>
SENT (1.3644s) TCP 192.168.1.131:62761 > 192.168.1.120:22 S ttl=58 id=2301 iplen=44  seq=2486228584 win=1024 <mss 1460>
RCVD (0.2447s) TCP 192.168.1.120:22 > 192.168.1.131:62760 SA ttl=64 id=0 iplen=44  seq=1814053721 win=5840 <mss 1460>
Nmap scan report for 192.168.1.120
Host is up (-0.18s latency).
PORT     STATE    SERVICE
22/tcp   open     ssh
9000/tcp filtered cslistener
MAC Address: DE:AD:BE:EF:00:15 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 1.50 seconds
#
 
*** and simultaneously in another window... ***

# tcpdump -n host 192.168.1.120 
tcpdump: listening on vio0, link-type EN10MB
19:25:35.188613 arp who-has 192.168.1.120 (ff:ff:ff:ff:ff:ff) tell 192.168.1.131
19:25:35.188827 arp reply 192.168.1.120 is-at de:ad:be:ef:00:15
19:25:35.398323 arp who-has 192.168.1.120 (ff:ff:ff:ff:ff:ff) tell 192.168.1.131
19:25:35.398528 arp reply 192.168.1.120 is-at de:ad:be:ef:00:15
tcpdump: WARNING: compensating for unaligned libpcap packets
19:25:35.399065 192.168.1.131.62760 > 192.168.1.120.22: S 2486294121:2486294121(0) win 1024 <mss 1460>
19:25:35.399156 192.168.1.131.62760 > 192.168.1.120.9000: S 2486294121:2486294121(0) win 1024 <mss 1460>
19:25:35.399210 192.168.1.120.22 > 192.168.1.131.62760: S 1814053721:1814053721(0) ack 2486294122 win 5840 <mss 1460> 
(DF)
19:25:35.399235 192.168.1.131.62760 > 192.168.1.120.22: R 2486294122:2486294122(0) win 0 (DF)
19:25:35.399288 192.168.1.120.9000 > 192.168.1.131.62760: S 3256885666:3256885666(0) ack 2486294122 win 5840 <mss 1460> 
(DF)
19:25:35.399313 192.168.1.131.62760 > 192.168.1.120.9000: R 2486294122:2486294122(0) win 0 (DF)
19:25:36.518352 192.168.1.131.62761 > 192.168.1.120.9000: S 2486228584:2486228584(0) win 1024 <mss 1460>
19:25:36.518581 192.168.1.120.9000 > 192.168.1.131.62761: S 3653907712:3653907712(0) ack 2486228585 win 5840 <mss 1460> 
(DF)
19:25:36.518612 192.168.1.131.62761 > 192.168.1.120.9000: R 2486228585:2486228585(0) win 0 (DF)
19:25:36.518905 192.168.1.131.62761 > 192.168.1.120.22: S 2486228584:2486228584(0) win 1024 <mss 1460>
19:25:36.518999 192.168.1.120.22 > 192.168.1.131.62761: S 1036225671:1036225671(0) ack 2486228585 win 5840 <mss 1460> 
(DF)
19:25:36.519021 192.168.1.131.62761 > 192.168.1.120.22: R 2486228585:2486228585(0) win 0 (DF)
^C
94 packets received by filter
0 packets dropped by kernel

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: