Re: libpcap change in nmap ?

[Fyodor <fyodor () dhp com>]

On Fri, 29 Jan 1999, Lamont Granquist wrote:

> Actually, I don't think this is a bug.  I think its a mis-named feature.

I think it is clearly a bug.  The pcap man page states that "to_ms
specifies the read timeout in milliseconds".  They provide pcap_loop()
which "is similar to pcap_dispatch() except ... it does not return when
live read timeouts occur".  Thus you should use pcap_dispatch() if you
want to honor your read timeout value and pcap_loop() if you want to block
(potentially) forever waiting for a packet.  This is how it works on
Solaris and *BSD.  But Linux can block forever even on a pcap_dispatch()
with a small "read timeout".  This is what I fixed in the version that
comes with nmap, and the libpcap folks did imply that they would
incorporate the change, although they haven't released a new version since
then.

> I think that programs are supposed to use that "timeout" value as a
> suggested value to improve packet filter performance, but that they're
> supposed to ultimately be responsible for making sure that they're calling
> pcap for long enough, and doing their own timeouts.

It is very ugly for programs to do "their own timeouts" while they are
blocked deep with the bowels of libpcap.  You've got to setjmp, scheduler
an alarm, and do a non-local goto (longjmp) from the SIGALRM handler to
the function that called pcap_dispatch().  Or you can use jsb4ch's sscan
technique of sending yourself bogus packets.  Clearly neither technique is
suitable for a "civilised" program.  Thus I just fixed pcap so that the
timeout works the same in Linux as it does in the other operating systems.

> On other fronts, all this TCP sequence number prediction information has
> got me curious about blind spoofing attacks, and I'm making slow progress
> on it -- but the standard theoretical rsh attack turns out to be a bit
> more difficult than daemon9 makes it out to be in P48-14.

Yeah, I've also found writing sequence prediction programs that work to be
a bitch.  It doesn't seem like it would be hard, but there are a ton of
minor details.  Do a 64K sequencer and make sure that works first before
you go after the time dependant machines (like Windows).

Cheers,
Fyodor

--
Fyodor                            'finger pgp () www insecure org | pgp -fka'
Frustrated by firewalls?          Try nmap: http://www.insecure.org/nmap/
In a free and open marketplace, it would be surprising to have such an
obviously flawed standard generate much enthusiasm outside of the criminal
community.  --Mitch Stone on Microsoft ActiveX