Re: Detecting upstream filters

[Fyodor <fyodor () insecure org>]

On Tue, 27 Feb 2001, Rasmus Andersson wrote:

> My idea is to detect any ICMP-unreachable that originates from an
> intermediate host [any host except the target], and include that in the
> output, something like this:

Yes, I agree that this can be important information.  In fact, my XML
output proposal (http://lists.insecure.org/nmap-dev/2000/Jul-Sep/0038.html
) does contain this information:

<port protocol="UDP" port="31337"> 
   <state state="filtered" conf="5" />
   <filteredby><packet proto="ICMP" type="3" code="3" 
                name="ICMP port unreachable" srcipaddr="10.3.7.4" ip_v="4" />
   </filteredby> 
   <service name="backorifice" conf="3" method="table" /> 
</port>

Unfortunately, Nmap does not yet have code to output this.  However, I
would accept a quality patch which adds this functionality to both
pos_scan and super_scan.  I don't know about printing it in the normal
output -- I wouldn't want to do it for each port (that space to the right
is reserved).  But perhaps if all the "filtered' ports are blocked by the
same machine, a line could be printed above the port list specifying the
filter IP.

Note that Nmap already does detect those ICMP unreachables from machines
other than the target and it takes the appropriate action (eg figures out
what port they are referring to and marks it as filtered).  Nmap just
isn't verbose about it.

Cheers,
-F


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).