Re: Fragmentation scan

[Fyodor <fyodor () insecure org>]

On Wed, Oct 06, 2004 at 09:05:28PM +0100, Alan Jenkins wrote:
> Does the -f option do anything?  I have been unable to see any difference in 
> the packets sent (with --packet_trace and tcpdump).  I am using nmap 3.7.0 on 
> linux 2.6.6.  The option is documented - has it been silently
> dropped in 3.7?

Recent (maybe 2.4+ -- anyone know exactly when it started?) Linux
kernels seem to defragment the packets Nmap sends before sticking them
on the wire :(.  Sadly, raw sockets just don't seem to give Nmap the
level of control it needs on many platforms (Solaris has issues with
adding the don't fragment bit, and Windows SP2 cripples the whole
interfaces).  For this reason, and due to a desire for cool local
network host enumeration techniques such as ARP scan, I think I want
to move Nmap to writing raw ethernet frames in preference to raw
sockets when dealing with ethernet-compatible devices (includes 802.11
wireless devices).  That should resolve many of these problems,
hopefully without adding a bunch of its own.  I haven't researched the
best way to move forward yet -- maybe libdnet, maybe write my own
library.  It needs to work well on Windows, since that is the platform
with the most pathetic raw sockets implementation.

Cheers,
Fyodor (who is currently occupied with a huge OS fingerprint update)

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org