Re: UDP pings

[Fyodor <fyodor () insecure org>]

On Tue, Jan 21, 2003 at 05:53:12PM -0800, Andy Lutomirski wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I noticed today that some Linksys boxes can be set to "filter"
> incoming TCP and UDP, but apparently will always (except for
> rate-limiting) return port unreachable for UDP.  While this can be
> easily used to detect them in current build (nmap -sU -p33333 -P0
> <box>), it would be nice to have it as a ping mode (nmap -sP
> - -P<whatever> -PU33333 <range>).

Hi Andy.  I have also wanted -PU for a while, so today I implemented
it.  It takes a port range (like -PS or -PA) and sends a UDP packet to
each given port.  If a port unreachable (or udp response) is returned,
the host is considered to be up.  When testing, I was surprised to see
an unusual box up on my home network!  Further investigation revealed
that it was indeed a Linksys ("WAN Port") which does not respond to
the normal Nmap ICMP/TCP probes and so I hadn't even realized it was
there!

This capability will be in the next version, which will either be
released in the next few days or a couple weeks from now when I return
from the CanSecWest and RSA conferences.  If I don't make a public
release, I'll try to at least stick something new at
http://download.insecure.org/nmap/dist/?M=D before I leave on Tuesday.

> This also suggests another feature idea: report which ping(s) a host
> responded to. 

Then Nmap would have to wait for responses (or timeout) to every
probe.  I like being able to short circuit that if a response comes in
early.  All of the TCP & UDP "ping" types have port scan equivalents
that can be used (with -P0) if you want to determine which ports are
listening.  Ping scan is just to determine what hosts are responsive.

Cheers,
-F

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).