Re: Nmap 3.80 preview

[Fyodor <fyodor () insecure org>]

On Mon, Feb 07, 2005 at 10:26:09AM +0100, Martin Ma?ok wrote:
> On Mon, Feb 07, 2005 at 09:08:46AM +0100, Andreas Ericsson wrote:
>
> 1) mtu=8 (tiny fragments) are more often dropped than mtu=16 (even
>    recommended in RFC)

But they are also more interesting to send, since the 8-byte fragment
with the port numbers does not have the TCP flags.

> 2) mtu=8 are more problematic to send (for example, you have to
>    completely disable firewall on FreeBSD, which is not needed for
>    mtu=16)

I hope to improve on this when I move away from raw sockets and to
sending raw ethernet frames by default.  I'm tired of all these silly
restrictions.  Plus, Windows is forcing the issue by intentionally
crippling raw sockets so that they cannot send TCP or UDP packets.
Sheesh MS is obnoxious!

And if someone has this problem now, they can always use -ff.  One can
argue for making -f be the coolest (8 byte) and keep -ff for people
who need that for one reason or another.

> 4) as told above, it seems to be more intuitive: -f fragment, -ff
>    fragment more.

Another way to think of it (with 3.81 semantics) is:
-f (smallest fragments, 8 bytes)
-ff (get bigger, 16 bytes)
-fff (larget still, 24 bytes)
-ffff (32 bytes)
etc.

That is what I implemented for 3.81.  I agree with your points and
think your way is just as good if not better.  But I've already built
the windows/linux binaries and source tarballs and am probably too
lazy to go redo it all.  -f is infrequently used anyhow, and those who
do use it should know what they're doing.  3.81 is available from the
dist directory and will be announced to nmap-hackers Monday.

Cheers,
-F

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org