Nmap Development mailing list archives
Re: Fragmentation scan
From: Alan Jenkins <sourcejedi () phonecoop coop>
Date: Thu, 7 Oct 2004 09:43:58 +0100
On Wednesday 06 October 2004 21:30, you wrote:
On Wed, Oct 06, 2004 at 09:05:28PM +0100, Alan Jenkins wrote:Does the -f option do anything? I have been unable to see any difference in the packets sent (with --packet_trace and tcpdump). I am using nmap 3.7.0 on linux 2.6.6. The option is documented - has it been silently dropped in 3.7?Recent (maybe 2.4+ -- anyone know exactly when it started?) Linux kernels seem to defragment the packets Nmap sends before sticking them on the wire :(. Sadly, raw sockets just don't seem to give Nmap the level of control it needs on many platforms (Solaris has issues with adding the don't fragment bit, and Windows SP2 cripples the whole interfaces). For this reason, and due to a desire for cool local network host enumeration techniques such as ARP scan, I think I want to move Nmap to writing raw ethernet frames in preference to raw sockets when dealing with ethernet-compatible devices (includes 802.11 wireless devices). That should resolve many of these problems, hopefully without adding a bunch of its own. I haven't researched the best way to move forward yet -- maybe libdnet, maybe write my own library. It needs to work well on Windows, since that is the platform with the most pathetic raw sockets implementation. Cheers, Fyodor (who is currently occupied with a huge OS fingerprint update)
Cool. I'll have a look at the defragmentation linux is doing. I bet linux is now defragmenting everything, whether its from an external host or from a local raw sockets program. CONFIG_IP_ALWAYS_DEFRAG is mentioned in the nmap man page - perhaps this is now always enabled, or has been changed to the default, or extended to apply to local raw socket packets. Thanks Alan --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List archive: http://seclists.org
Current thread:
- Fragmentation scan Alan Jenkins (Oct 06)
- Re: Fragmentation scan Fyodor (Oct 06)
- Re: Fragmentation scan Andy Lutomirski (Oct 06)
- Re: Fragmentation scan Fyodor (Oct 06)
- Re: Fragmentation scan Alan Jenkins (Oct 07)
- Re: Fragmentation scan Andy Lutomirski (Oct 06)
- Re: Fragmentation scan Martin Mačok (Oct 07)
- <Possible follow-ups>
- Re: Fragmentation scan Alan Jenkins (Oct 17)
- Re: Fragmentation scan Fyodor (Oct 06)