Re: Nmap 4.20ALPHA5: Unable to produce ideal -O2 tests ?

[Brandon Enright <bmenrigh () ucsd edu>]

On Thu, 2006-08-31 at 20:30 -0700, Fyodor wrote:
> On Fri, Sep 01, 2006 at 03:18:16AM +0000, Brandon Enright wrote:
...snip...
> Oops.  We changed the limit (these rules are all in
> FingerPrintResults.cc OmitSubmissionFP()) from 15 to 10 hops, but
> forgot to update the message.  I just fixed that for the next version.
> We're worried about problems related to asymetric routing if we take
> fingerprints from hosts too many hops away.  We may relax the rules a
> bit, but they are currently quite strict to ensure a high quality DB.

Makes sense.  Reducing it even further (say 5) would probably force
people to only scan networks they have control over and should take odd
ISP routing, shaping, and fake RST or SYN/ACK responses out of the
picture.

> > The others machines I've tested (localhost, other machines 1 or 2 hops
> > away) all produce this output:
> >
> > "OS fingerprint not ideal because: maxTimingRatio is greater than 1.4"
>
> Interesting.  Would you run find an open and a closed port on a target
> which does that, then run "nmap -p[openport],[closedport]
> --packet-trace -d -O2 [target]" and send me the output?

Attached is a scan from 192.168.0.100 to 192.168.0.106.  I through -n
and -P0 in there to reduce the amount of crap you have to look at.

> You can
> change the IPs to "src" and "target".  That ought to help me figure
> out why the timing isn't working right.  How many hosts are you
> scanning at once?  Maybe it will work if you scan them one at a time
> (but I still want to fix it, so if you could still send me a
> --packet-trace of a problematic run that would be great).

I was only scanning one host each time -- to many variables with more
than one.

Brandon

Attachment: sample.txt
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org