Nmap Development mailing list archives
nmap option '-f' (fragment) doesn't work on Linux v2.4
From: milosevic () fastmail fm
Date: Thu, 15 May 2003 07:48:20 -0700
It appears that the "fragment" option doesn't work on Linux v2.4, or at least v2.4.18, which is what I'm running. "tcpdump" reveals that "nmap -sS -f -P0" transmits a single 40 byte SYN packet. On Linux v2.2, the same action produces two fragments of 36 and 24 bytes, as described in the manual. It seems that this is not nmap's fault. Experimentation with raw sockets shows that the kernel attempts to defragment all locally- generated packets. Nothing is transmitted until the final fragment is submitted to the kernel, at which point a single unfragmented packet appears on the wire. Linux v2.2 seems to preserve locally generated fragments regardless of the value of the /proc/sys/net/ipv4/ip_always_defrag switch. In Linux v2.4, this switch doesn't even exist. Is there some way to get around this "feature" of Linux v2.4, so that "nmap -f" can perform its intended function? Another (possibly stupid) question: why doesn't nmap fragment the TCP segment at offset 8 instead of 16, so that the TCP flags appear in the second fragment? Wouldn't that have a better chance of confusing gateways and firewalls, especially in the common case that SYN packets with a particular destination port are filtered? --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- nmap option '-f' (fragment) doesn't work on Linux v2.4 milosevic (May 15)
- Re: nmap option '-f' (fragment) doesn't work on Linux v2.4 Philippe Biondi (May 17)