pcap_dispatch() returns outgoing packet despite pcap_setfilter

[Martin Mačok <martin.macok () underground cz>]

% ./nmap localhost -sS -p1 --packet_trace -d -PA

Starting nmap 3.78 ( http://www.insecure.org/nmap/ ) at 2005-01-09 11:53 CET
Packet capture filter (device lo): (icmp and dst host 127.0.0.1) or ((tcp or udp) and dst host 127.0.0.1 and ( dst port 
34205 or dst port 34206 or dst port 34207 or dst port 34208 or dst port 34209))
SENT (0.0010s) TCP 127.0.0.1:34206 > 127.0.0.1:80 A ttl=59 id=60899 iplen=40 seq=3264046046 win=4096 ack=1930257374
RCVD (0.0010s) TCP 127.0.0.1:34206 > 127.0.0.1:80 A ttl=59 id=60899 iplen=40 seq=3264046046 win=4096 ack=1930257374     
   <<< SEE THIS
RCVD (0.0010s) TCP 127.0.0.1:80 > 127.0.0.1:34206 R ttl=64 id=0 iplen=40 seq=1930257374 win=0
We got a TCP ping packet back from 127.0.0.1 port 80 (hostnum = 0 trynum = 0
Hostupdate called for machine 127.0.0.1 state UNKNOWN/COMBO -> HOST_UP (trynum 0, dotimeadj: yes time: 186)
Finished block: srtt: 66 rttvar: 5000 timeout: 100000 block_tries: 1 up_this_block: 1 down_this_block: 0 group_sz: 1
massping done:  num_hosts: 1  num_responses: 1
Initiating SYN Stealth Scan against localhost (127.0.0.1) [1 port] at 11:53
[..]


Could someone explain why nmap_main() -> nexthost() -> massping() ->
get_ping_results() -> readip_pcap() -> pcap_next() -> pcap_dispatch()
returns "TCP 127.0.0.1:34206 > 127.0.0.1:80 A" despite the packet
capture filter that shouldn't match it?

Martin Mačok
ICT Security Consultant

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org