Nmap Development mailing list archives
Re: Pull Request: Host Discovery: Ignore TCP RST #1616
From: Gordon Fyodor Lyon <fyodor () nmap org>
Date: Mon, 10 Jun 2019 12:19:23 -0700
On Mon, Jun 3, 2019 at 8:24 AM Tom Sellers <nmap () fadedcode net> wrote:
All, Since not everyone checks GitHub PRs I'm CCing this PR to the list.
Hi Tom. Thanks for the patch! My only concern is whether TCP host discovery probes still provide much value if you are ignoring the RST responses. By default we use an ACK for TCP host discovery and that almost always relies on RST packets to find up hosts. Maybe there are some corner cases like certain ICMP responses straight from the host that we might still use to consider it up, but I think that's pretty rare. Of course you could also choose SYN host discovery (like in the scanme example you gave) and if the discovery port is actually open you would get a SYN|ACK. But still, a RST is still the most common way that SYN host discovery finds available hosts. Since I imagine you folks wrote this for a specific use case, maybe you can check whether you use case can be met roughly as well by just skipping TCP host discovery for these type of scans and just using ICMP and/or UDP probes? That way you aren't sending time sending probes and then almost always ignoring the responses. Or maybe, given the behavior of the network you are scanning, you still do want to send the probes? In this case are you sending SYN probes or other TCP probes, and what non-RST responses are you hoping to catch? If we do put in this option, it will have to be documented in the man page and we should probably note there that omitting the TCP discovery probes is often a better approach than ignoring most of the responses. Thanks! -Fyodor
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Pull Request: Host Discovery: Ignore TCP RST #1616 Tom Sellers (Jun 03)
- Re: Pull Request: Host Discovery: Ignore TCP RST #1616 Gordon Fyodor Lyon (Jun 10)