Nmap Announce mailing list archives
Re: libpcap change in nmap ?
From: Fyodor <fyodor () dhp com>
Date: Fri, 29 Jan 1999 18:06:40 -0500 (EST)
On Fri, 29 Jan 1999, Lamont Granquist wrote:
Actually, I don't think this is a bug. I think its a mis-named feature.
I think it is clearly a bug. The pcap man page states that "to_ms specifies the read timeout in milliseconds". They provide pcap_loop() which "is similar to pcap_dispatch() except ... it does not return when live read timeouts occur". Thus you should use pcap_dispatch() if you want to honor your read timeout value and pcap_loop() if you want to block (potentially) forever waiting for a packet. This is how it works on Solaris and *BSD. But Linux can block forever even on a pcap_dispatch() with a small "read timeout". This is what I fixed in the version that comes with nmap, and the libpcap folks did imply that they would incorporate the change, although they haven't released a new version since then.
I think that programs are supposed to use that "timeout" value as a suggested value to improve packet filter performance, but that they're supposed to ultimately be responsible for making sure that they're calling pcap for long enough, and doing their own timeouts.
It is very ugly for programs to do "their own timeouts" while they are blocked deep with the bowels of libpcap. You've got to setjmp, scheduler an alarm, and do a non-local goto (longjmp) from the SIGALRM handler to the function that called pcap_dispatch(). Or you can use jsb4ch's sscan technique of sending yourself bogus packets. Clearly neither technique is suitable for a "civilised" program. Thus I just fixed pcap so that the timeout works the same in Linux as it does in the other operating systems.
On other fronts, all this TCP sequence number prediction information has got me curious about blind spoofing attacks, and I'm making slow progress on it -- but the standard theoretical rsh attack turns out to be a bit more difficult than daemon9 makes it out to be in P48-14.
Yeah, I've also found writing sequence prediction programs that work to be a bitch. It doesn't seem like it would be hard, but there are a ton of minor details. Do a 64K sequencer and make sure that works first before you go after the time dependant machines (like Windows). Cheers, Fyodor -- Fyodor 'finger pgp () www insecure org | pgp -fka' Frustrated by firewalls? Try nmap: http://www.insecure.org/nmap/ In a free and open marketplace, it would be surprising to have such an obviously flawed standard generate much enthusiasm outside of the criminal community. --Mitch Stone on Microsoft ActiveX
Current thread:
- libpcap change in nmap ? fzef fzef (Jan 28)
- Re: libpcap change in nmap ? Fyodor (Jan 29)
- Re: libpcap change in nmap ? Lamont Granquist (Jan 29)
- Re: libpcap change in nmap ? Fyodor (Jan 29)
- Re: libpcap change in nmap ? Lamont Granquist (Jan 29)
- <Possible follow-ups>
- Re: libpcap change in nmap ? johann sebastian bach (Jan 29)
- Re: libpcap change in nmap ? Fyodor (Jan 29)