Re: SoC: port state reasons

[Martin Mačok <martin.macok () underground cz>]

On Fri, Jun 09, 2006 at 03:14:14PM -0700, Fyodor wrote:

> > Also one last question, I am severely limited on what reasons
> > I can get from a connect scan.
>
> You should be able to distinguish the RST, SYN/ACK, and no-response
> cases.  You may not be able to distinguish between some of the
> different ICMP errors so you may have to add an extra reason code
> for those icmp errors you cannot distinguish.

With Connect scan you can't even distinguish between RST and some ICMP
Port Unreachable, see

http://Xtrmntr.org/ORBman/tmp/nmap/nmap-3.95-CONNECT-closedfiltered.patch

> A reason for the host status (e.g. why was the host considered "up"
> or "down") should be created too.  That would presumably use the
> same set of codes (though you'd have to add one for ARP).  It should
> support the "from" and "ttl" fields where relevant.

It would be good to not limit it to just those two fields ... IP ID,
MSS, Timestamp or something else could be interesting too. What about
using p0f for RST packet fingerprinting?

Martin Mačok
ICT Security Consultant


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev