Re: nmap option '-f' (fragment) doesn't work on Linux v2.4

[Philippe Biondi <biondi () cartel-securite fr>]

On Thu, 15 May 2003 milosevic () fastmail fm wrote:

> It appears that the "fragment" option doesn't work on Linux v2.4,
> or at least v2.4.18, which is what I'm running. "tcpdump" reveals that
> "nmap -sS -f -P0" transmits a single 40 byte SYN packet. On Linux v2.2,
> the same action produces two fragments of 36 and 24 bytes,
> as described in the manual.
>
> It seems that this is not nmap's fault. Experimentation with raw
> sockets shows that the kernel attempts to defragment all locally-
> generated packets. Nothing is transmitted until the final fragment
> is submitted to the kernel, at which point a single unfragmented
> packet appears on the wire.
>
> Linux v2.2 seems to preserve locally generated fragments regardless
> of the value of the /proc/sys/net/ipv4/ip_always_defrag switch.
> In Linux v2.4, this switch doesn't even exist.
>
> Is there some way to get around this "feature" of Linux v2.4, so that
> "nmap -f" can perform its intended function?

It is because netfilter conntrack code. If you have have compiled it as a
module, just remove ip_conntrack and it should work.

If you can't do that, you have to use PF_PACKET to bypass firewalling
code. Scapy (http://www.cartel-securite.fr/pbiondi/scapy.html) can do
that.

-- 
Philippe Biondi <biondi@ cartel-securite.fr> Cartel Sécurité
Security Consultant/R&D                      http://www.cartel-securite.fr
Phone: +33 1 44 06 97 94                     Fax: +33 1 44 06 97 99
PGP KeyID:3D9A43E2  FingerPrint:C40A772533730E39330DC0985EE8FF5F3D9A43E2


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).