Nmap Development mailing list archives

Re: IPv6 Hop Limit as feature in FPEngine

From: David Fifield <david () bamsoftware com>
Date: Thu, 19 Mar 2015 13:45:38 -0700

On Thu, Mar 19, 2015 at 02:08:42PM +0100, Alexandru Geana wrote:

It seems weird to conditionally subtract the DS. I don't remember, is
that value always present? Or only when we get an ICMPv6 reply?


The DS value is not always present. It appears depending on whether nmap
is able to get it or not, either via an ICMP response to the U1 probe or
via a traceroute.

The method I thought about now is to check the scan line and see if the
hop distance is present. If it is, then I try to calculate the original
hop limit value. Then I try to guess the original value and take into
consideration an error limit which is 5 if the hop distance was present
and 20 otherwise. The idea is to check

    if def_value - er_limit <= hop_limit and hop_limit <= def_value
        hop_limit = def_value
    else
        hop_limit = -1

for every hop limit in the database and every default_value in {32, 64,
128, 255}. The reason for having different error limits is that, if the
hop distance is available, theoretically we should be able to calculate
the original hop limit. Otherwise, the error limit is higher since we
cannot tell for sure how many hops are on the path. Furthermore it also
helps with interference. For example, if a calculated hop limit is 65 or
66, it most probably means that the value was rewritten to 64 somewhere
on the path and it cannot be used to obtain the original value anymore.


Thanks for doing these tests. What you describe sounds more complicated
than necessary. What I get from your table is that the calculation
method doesn't matter a whole lot: you get concentrations around a few
values in any case, and the ML should be able to deal with that.

The real test is cross validation. Which one of your calcuation methods
gives the best accuracy from train.py? If a simple technique works just
as well, do that.

Additionally, I also moved the distance field from Target to FPR
(since it was just a copy) and updated all other files (osscan2,
output, traceroute) to use FPR->distance.


Don't do that; no need to increase coupling between these different
functions.

David Fifield
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

IPv6 Hop Limit as feature in FPEngine Alexandru Geana (Feb 23)
- Re: IPv6 Hop Limit as feature in FPEngine David Fifield (Feb 23)
  - Re: IPv6 Hop Limit as feature in FPEngine Alexandru Geana (Feb 24)
    - Re: IPv6 Hop Limit as feature in FPEngine David Fifield (Feb 24)
    - Re: IPv6 Hop Limit as feature in FPEngine Alexandru Geana (Feb 26)
  - Re: IPv6 Hop Limit as feature in FPEngine David Fifield (Feb 24)
    - Re: IPv6 Hop Limit as feature in FPEngine Alexandru Geana (Mar 11)
    - Re: IPv6 Hop Limit as feature in FPEngine David Fifield (Mar 12)
    - Re: IPv6 Hop Limit as feature in FPEngine Alexandru Geana (Mar 19)
    - Re: IPv6 Hop Limit as feature in FPEngine David Fifield (Mar 19)
    - Re: IPv6 Hop Limit as feature in FPEngine Alexandru Geana (Mar 23)
    - Re: IPv6 Hop Limit as feature in FPEngine David Fifield (Mar 23)
    - Re: IPv6 Hop Limit as feature in FPEngine Alexandru Geana (Mar 26)