[nping] Bug/confusing functionality of --send-eth and missing IP route

[ValdikSS via dev <dev () nmap org>]

    Description

nping 0.7.70, when used with --send-eth option, would not perform ARP resolution and use ARP-resolved MAC address of 
destination IP if IP route to the destination IP/network is missing in system routing table AND default route is 
present.
The program's output text does not suggest that it does not perform ARP resolution and tries to send the packet via 
router, even in --debug mode.


    Information

I have eth0-26042 network interface with 192.168.5.22/24 address only, and default route set:
$ ip r
default via 192.168.5.1 dev eth0-26042
192.168.5.0/24 dev eth0-26042 proto kernel scope link src 192.168.5.22

This network has 172.16.0.0/16 in the same L2 segment, but there's no route to it.

The following nping command with --send-eth option will send ARP requests and successfully resolve MAC address of 
destination from 172.16.0.0/16, but will not use it to send the packet at all.

nping --send-eth --source-ip 172.16.0.100 --dest-ip 172.16.1.1 --udp -c1 --debug

…

Determining target 172.16.1.1 MAC address or next hop MAC address...
    > Checking system's ARP cache...
    > No relevant entries found in system's ARP cache.
    > Sending ARP request using spoofed IP 172.16.0.100...
    > No ARP responses received.
    > Sending ARP request using our real IP 192.168.5.22...
    > Success: 1 ARP response received [d8:58:d7:4b:4b:0f]
+-----------------TARGET-----------------+
Device Name:            eth0-26042
Device FullName:        eth0-26042
Device Type:            Ethernet
Directly connected?:    no
Address family:         AF_INET
Resolved Hostname:     
Supplied Hostname:      (null)
Target Address:         172.16.1.1
Source Address:         192.168.5.22
Spoofed Address:        172.16.0.100
Next Hop Address:       192.168.5.1
*Target MAC Address:     00:00:00:00:00:00*
Source MAC Address:     a0:a8:cd:7b:7b:96
*Next Hop MAC Address:   d8:58:d7:4b:4b:0f*

…

Despite what the text says "Determining target 172.16.1.1 MAC address or next hop MAC address...", no ARP resolution of 
destination (172.16.1.1) is performed at all. nping sends only ARP requests to the router default route via 
(192.168.5.1).
d8:58:d7:4b:4b:0f is 192.168.5.1 mac address.

Please see the attached files with debug output.


    Expected result

nping, when used with --send-eth, sends ARP request and use resolved MAC address to send RAW Ethernet packet in the 
same L2 segment.


    Actual result

nping, with used with --send-eth, does not try to perform ARP resolution of the destination and switches to routing 
mode.

Attachment: nping_1.txt
Description:

Attachment: nping_2.txt
Description:

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/