Nmap Announce mailing list archives
NMAP & "Whacked Packets" :-)
From: Daniel Ayers <daniel () netlink net nz>
Date: Thu, 8 Apr 1999 10:28:10 +1200 (NZST)
Hi, I use nmap quite a lot as a general scanning tool. I have had some problems that I suspect have been mostly caused by the network environment (parts of the network seem to have more than the occasional packet loss, and that makes life hard for scanners). I've looked through the nmap code and compiled a version with debugging enabled ("#define DEBUGGING 1" in nmap.h). I've spent some time looking at the debugging output. I should also mention that I usually run scans in parallel. I tend to split up the address space to be scanned into 5-10 chunks, and then run all those chunks in parallel (from the same host). I also scan hosts in bands of 2000 ports. This is to reduce the effect of lossy networks. If there are enough drops, nmap will iterate the scan until there are fewer drops or until it gives up after 20 attempts. By scanning the 64k port space 2000 ports at a time, the probability of massive (and possibly endsless) rescans of 64k ports is eliminated. Its also worth pointing out that there tends to be packet filters in between me and what I'm scanning. The packet filters are almost always static filters and they usually do not send ICMP unreachables. Therefore most ports appear unresponsive. (By implication, this scanning is blind brute force. No ICMP/TCP pinging, just a SYN stalth scan of 64k TCP ports on each IP). Now, the problem... :-) Sometimes the scans just don't work. They yield completely incorrect results, usually showing no open ports at all when there are ports open. Sometimes a rescan using simpler parameters (nmap -sS -O -P0 -p1-1024 ...) will work OK. I have a script that writes the appropriate nmap commands to split up the scan space into bands of 2000 ports and then "n" parallel streams. That script produces nmap command lines like this: nmap -vv -sS -P0 -O -p1-2000 -o file1 -m file2 A.B.C.D (where A.B.C.D is a single numeric IP address). Later, that same IP will be scanned further using: nmap -vv -sS -P0 -p2001-4000 -o file1 -m file2 A.B.C.D nmap -vv -sS -P0 -p4001-6000 -o file1 -m file2 A.B.C.D (etc) When the scans don't work, the debugging output includes many lines of the form: Whacked packet to port 215 passed to posportupdate with state 16 Whacked packet to port 401 passed to posportupdate with state 16 Whacked packet to port 1509 passed to posportupdate with state 16 Whacked packet to port 522 passed to posportupdate with state 16 Whacked packet to port 2 passed to posportupdate with state 16 Whacked packet to port 456 passed to posportupdate with state 16 Whacked packet to port 971 passed to posportupdate with state 16 Whacked packet to port 1428 passed to posportupdate with state 16 Whacked packet to port 1835 passed to posportupdate with state 16 Whacked packet to port 100 passed to posportupdate with state 16 Whacked packet to port 270 passed to posportupdate with state 16 There are also a number of these messages: Illegal ICMP type/code 3/1 unreachable packet: Here it is: 3 1 3D D 0 0 0 0 45 0 0 3C 38 3A 0 0 3A 6 D3 F0 XX XX XX XX XX XX XX XX DE A3 99 79 8C 9C BB 37 (IP addresses removed to protect the innocent :-) My guess is that the ICMP messages are a result of parallel scans. I'm not sure about the "Whacked packet" messages. I wonder if I'm doing something that nmap wasn't designed to handle (lots of parallel scans, maybe they're getting each other's responses confused?) or maybe there is a problem in nmap? State 16 is PORT_FRESH, suggesting to me that one invocation of nmap is seeing responses its not expecting, or a logic problem in the program. Any assistance/suggestions would be appreciated. Thanks, Daniel. ------------------------------------------------------------------------------ Daniel Ayers ZL2UTV, B.Sc (Hons), M.Sc Email: daniel.ayers () netlink co nz Network Security Specialist DDI Phone: +64-4-494-6165 Netlink Fax: +64-4-494-6150 23 Waring Taylor St, PO Box 5358 Mobile: +64-21-387-334 Wellington, New Zealand URL: http://www.netlink.co.nz
Current thread:
- NMAP & "Whacked Packets" :-) Daniel Ayers (Apr 07)