Nmap Development mailing list archives
assert triggered in scan_engine.cc
From: Valentin Avram <vavram () gecadnet ro>
Date: Tue, 13 Mar 2007 23:39:08 +0200
Hello. I'm using nmap 4.20 to scan a network (Ping Scan, ARP Discovery) but at some point nmap gives an Assertion '0' failed in line 1682 of scan_engine.cc. Command line: nmap -n -PR -sP 172.30.0.0/16 As far as i know, nmap should check and see what IPs reply in the range 172.30.0.0-172.30.255.255. Scanner IP (self) is 172.30.0.220. Added -v -d4 switches and here is what i get (relevant parts, took out repetitive normal operation parts): (running nmap -v -d4 -n -PR -sP 172.30.0.0/16 2>&1 | tee output.txt) [start logfile] Starting Nmap 4.20 ( http://insecure.org ) at 2007-03-13 22:41 EET Fetchfile found /usr/share/nmap/nmap-services The max # of sockets we are using is: 0 --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 msx-scan-delay: TCP 1000, UDP 1000 parallelism: min 0, max 0 max-retries: 10, host-timeout: 0 --------------------------------------------- Initiating ARP Ping Scan at 22:41 Scanning 220 hosts [1 port/host] Pcap filter: arp and ether dst host 00:16:76:24:9B:D3 Packet capture filter (device eth0): arp and ether dst host 00:16:76:24:9B:D3 SENT (0.0070s) ARP who-has 172.30.0.0 tell 172.30.0.220 SENT (0.0070s) ARP who-has 172.30.0.1 tell 172.30.0.220 SENT (0.0070s) ARP who-has 172.30.0.2 tell 172.30.0.220 SENT (0.0070s) ARP who-has 172.30.0.3 tell 172.30.0.220 SENT (0.0070s) ARP who-has 172.30.0.4 tell 172.30.0.220 SENT (0.0070s) ARP who-has 172.30.0.5 tell 172.30.0.220 SENT (0.0070s) ARP who-has 172.30.0.6 tell 172.30.0.220 SENT (0.0070s) ARP who-has 172.30.0.7 tell 172.30.0.220 SENT (0.0070s) ARP who-has 172.30.0.8 tell 172.30.0.220 SENT (0.0070s) ARP who-has 172.30.0.9 tell 172.30.0.220 **TIMING STATS**: IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, cwnd/ccthresh/delay, timeout/srtt/rttvar/ Groupstats (220/220 incomplete): 10/*/*/*/*/* 10.00/50/* 100000/-1/-1 172.30.0.0: 1/0/0/1/0/0 10.00/50/0 100000/-1/-1 172.30.0.1: 1/0/0/1/0/0 10.00/50/0 100000/-1/-1 172.30.0.2: 1/0/0/1/0/0 10.00/50/0 100000/-1/-1 172.30.0.3: 1/0/0/1/0/0 10.00/50/0 100000/-1/-1 172.30.0.4: 1/0/0/1/0/0 10.00/50/0 100000/-1/-1 172.30.0.5: 1/0/0/1/0/0 10.00/50/0 100000/-1/-1 172.30.0.6: 1/0/0/1/0/0 10.00/50/0 100000/-1/-1 172.30.0.7: 1/0/0/1/0/0 10.00/50/0 100000/-1/-1 172.30.0.8: 1/0/0/1/0/0 10.00/50/0 100000/-1/-1 172.30.0.9: 1/0/0/1/0/0 10.00/50/0 100000/-1/-1 172.30.0.10: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.0.11: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 [snip] Host 172.30.0.219 appears to be down. Host 172.30.0.220 appears to be up. Initiating ARP Ping Scan at 22:41 Scanning 2048 hosts [1 port/host] Pcap filter: arp and ether dst host 00:16:76:24:9B:D3 Packet capture filter (device eth0): arp and ether dst host 00:16:76:24:9B:D3 SENT (2.7110s) ARP who-has 172.30.0.221 tell 172.30.0.220 SENT (2.7120s) ARP who-has 172.30.0.222 tell 172.30.0.220 SENT (2.7120s) ARP who-has 172.30.0.223 tell 172.30.0.220 SENT (2.7130s) ARP who-has 172.30.0.224 tell 172.30.0.220 SENT (2.7130s) ARP who-has 172.30.0.225 tell 172.30.0.220 SENT (2.7140s) ARP who-has 172.30.0.226 tell 172.30.0.220 SENT (2.7140s) ARP who-has 172.30.0.227 tell 172.30.0.220 SENT (2.7150s) ARP who-has 172.30.0.228 tell 172.30.0.220 SENT (2.7160s) ARP who-has 172.30.0.229 tell 172.30.0.220 SENT (2.7160s) ARP who-has 172.30.0.230 tell 172.30.0.220 **TIMING STATS**: IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, cwnd/ccthresh/delay, timeout/srtt/rttvar/ Groupstats (2048/2048 incomplete): 10/*/*/*/*/* 10.00/50/* 100000/-1/-1 172.30.0.221: 1/0/0/1/0/0 10.00/50/0 100000/-1/-1 172.30.0.222: 1/0/0/1/0/0 10.00/50/0 100000/-1/-1 172.30.0.223: 1/0/0/1/0/0 10.00/50/0 100000/-1/-1 172.30.0.224: 1/0/0/1/0/0 10.00/50/0 100000/-1/-1 172.30.0.225: 1/0/0/1/0/0 10.00/50/0 100000/-1/-1 172.30.0.226: 1/0/0/1/0/0 10.00/50/0 100000/-1/-1 172.30.0.227: 1/0/0/1/0/0 10.00/50/0 100000/-1/-1 172.30.0.228: 1/0/0/1/0/0 10.00/50/0 100000/-1/-1 172.30.0.229: 1/0/0/1/0/0 10.00/50/0 100000/-1/-1 172.30.0.230: 1/0/0/1/0/0 10.00/50/0 100000/-1/-1 172.30.0.231: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.0.232: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 [snip] 172.30.8.220: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 RCVD (4.8840s) ARP reply 172.30.0.242 is-at 00:13:D4:2B:0C:D1 Timeout vals: srtt: -1 rttvar: -1 to: 100000 delta 108 ==> srtt: 108 rttvar: 5000 to: 100000 Timeout vals: srtt: 932 rttvar: 2309 to: 100000 delta -824 ==> srtt: 829 rttvar: 1937 to: 100000 RCVD (4.8850s) ARP reply 172.30.0.243 is-at 00:0E:2E:7F:DC:D3 Timeout vals: srtt: -1 rttvar: -1 to: 100000 delta 110 ==> srtt: 110 rttvar: 5000 to: 100000 Timeout vals: srtt: 829 rttvar: 1937 to: 100000 delta -719 ==> srtt: 739 rttvar: 1632 to: 100000 RCVD (4.8860s) ARP reply 172.30.0.244 is-at 00:16:76:0C:3B:9F Timeout vals: srtt: -1 rttvar: -1 to: 100000 delta 139 ==> srtt: 139 rttvar: 5000 to: 100000 Timeout vals: srtt: 739 rttvar: 1632 to: 100000 delta -600 ==> srtt: 664 rttvar: 1374 to: 100000 RCVD (4.8860s) ARP reply 172.30.0.245 is-at 00:0E:2E:83:6C:34 Timeout vals: srtt: -1 rttvar: -1 to: 100000 delta 123 ==> srtt: 123 rttvar: 5000 to: 100000 Timeout vals: srtt: 664 rttvar: 1374 to: 100000 delta -541 ==> srtt: 596 rttvar: 1165 to: 100000 RCVD (4.8870s) ARP reply 172.30.0.246 is-at 00:80:9F:34:A0:C0 Timeout vals: srtt: -1 rttvar: -1 to: 100000 delta 253 ==> srtt: 253 rttvar: 5000 to: 100000 Timeout vals: srtt: 596 rttvar: 1165 to: 100000 delta -343 ==> srtt: 553 rttvar: 959 to: 100000 SENT (4.9840s) ARP who-has 172.30.0.231 tell 172.30.0.220 SENT (4.9840s) ARP who-has 172.30.0.233 tell 172.30.0.220 SENT (4.9840s) ARP who-has 172.30.0.236 tell 172.30.0.220 SENT (4.9840s) ARP who-has 172.30.0.237 tell 172.30.0.220 SENT (5.8920s) ARP who-has 172.30.0.247 tell 172.30.0.220 SENT (5.8930s) ARP who-has 172.30.0.248 tell 172.30.0.220 SENT (5.8930s) ARP who-has 172.30.0.249 tell 172.30.0.220 SENT (5.8940s) ARP who-has 172.30.0.250 tell 172.30.0.220 SENT (5.8950s) ARP who-has 172.30.0.251 tell 172.30.0.220 SENT (5.8950s) ARP who-has 172.30.0.252 tell 172.30.0.220 SENT (5.8960s) ARP who-has 172.30.0.253 tell 172.30.0.220 SENT (5.8960s) ARP who-has 172.30.0.254 tell 172.30.0.220 SENT (5.8970s) ARP who-has 172.30.0.255 tell 172.30.0.220 SENT (5.8970s) ARP who-has 172.30.1.0 tell 172.30.0.220 SENT (5.8980s) ARP who-has 172.30.1.1 tell 172.30.0.220 SENT (5.8990s) ARP who-has 172.30.1.2 tell 172.30.0.220 SENT (5.8990s) ARP who-has 172.30.1.3 tell 172.30.0.220 SENT (5.9000s) ARP who-has 172.30.1.4 tell 172.30.0.220 SENT (5.9000s) ARP who-has 172.30.1.5 tell 172.30.0.220 SENT (5.9010s) ARP who-has 172.30.1.6 tell 172.30.0.220 **TIMING STATS**: IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, cwnd/ccthresh/delay, timeout/srtt/rttvar/ Groupstats (2035/2048 incomplete): 23/*/*/*/*/* 23.00/50/* 100000/553/959 172.30.0.222: 0/0/0/0/0/1 10.00/50/0 100000/-1/-1 172.30.0.224: 0/0/0/0/0/1 10.00/50/0 100000/-1/-1 172.30.0.226: 0/0/0/0/0/1 10.00/50/0 100000/-1/-1 172.30.0.227: 0/0/0/0/0/1 10.00/50/0 100000/-1/-1 172.30.0.228: 0/0/0/0/0/1 10.00/50/0 100000/-1/-1 172.30.0.230: 0/0/0/0/0/1 10.00/50/0 100000/-1/-1 172.30.0.231: 1/0/0/2/0/0 10.00/50/0 100000/-1/-1 172.30.0.233: 1/0/0/2/0/0 10.00/50/0 100000/-1/-1 172.30.0.236: 1/0/0/2/0/0 10.00/50/0 100000/-1/-1 172.30.0.237: 1/0/0/2/0/0 10.00/50/0 100000/-1/-1 172.30.0.239: 1/0/0/1/0/0 10.00/50/0 100000/-1/-1 172.30.0.240: 1/0/0/1/0/0 10.00/50/0 100000/-1/-1 172.30.0.241: 1/0/0/1/0/0 10.00/50/0 100000/-1/-1 172.30.0.247: 1/0/0/1/0/0 10.00/50/0 100000/-1/-1 172.30.0.248: 1/0/0/1/0/0 10.00/50/0 100000/-1/-1 172.30.0.249: 1/0/0/1/0/0 10.00/50/0 100000/-1/-1 172.30.0.250: 1/0/0/1/0/0 10.00/50/0 100000/-1/-1 172.30.0.251: 1/0/0/1/0/0 10.00/50/0 100000/-1/-1 172.30.0.252: 1/0/0/1/0/0 10.00/50/0 100000/-1/-1 172.30.0.253: 1/0/0/1/0/0 10.00/50/0 100000/-1/-1 172.30.0.254: 1/0/0/1/0/0 10.00/50/0 100000/-1/-1 172.30.0.255: 1/0/0/1/0/0 10.00/50/0 100000/-1/-1 172.30.1.0: 1/0/0/1/0/0 10.00/50/0 100000/-1/-1 172.30.1.1: 1/0/0/1/0/0 10.00/50/0 100000/-1/-1 172.30.1.2: 1/0/0/1/0/0 10.00/50/0 100000/-1/-1 172.30.1.3: 1/0/0/1/0/0 10.00/50/0 100000/-1/-1 172.30.1.4: 1/0/0/1/0/0 10.00/50/0 100000/-1/-1 172.30.1.5: 1/0/0/1/0/0 10.00/50/0 100000/-1/-1 172.30.1.6: 1/0/0/1/0/0 10.00/50/0 100000/-1/-1 172.30.1.7: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.1.8: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 [snip - list of IPs continues from 172.30.1.9 to 172.30.8.170 ] 172.30.8.171: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.172: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.173: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.174: 0/1/0/0/0/0 10.00/50/0 100000/-1/-nmap: scan_engine.cc:1682: bool ultrascan_port_pspec_update(UltraScanInfo*, HostScanStats*, const probespec*, int): Assertion `0' failed. 1 172.30.8.175: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.176: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.177: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.178: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.179: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.180: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.181: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.182: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.183: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.184: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.185: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.186: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.187: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.188: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.189: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.190: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.191: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.192: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.193: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.194: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.195: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.196: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.197: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.198: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.199: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.200: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.201: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.202: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.203: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.204: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.205: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.206: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.207: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.208: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.209: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.210: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.211: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.212: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.213: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.214: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.215: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.216: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.217: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.218: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.219: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 172.30.8.220: 0/1/0/0/0/0 10.00/50/0 100000/-1/-1 RCVD (5.8920s) ARP reply 172.30.0.247 is-at 00:13:D4:2A:6F:E7 Timeout vals: srtt: -1 rttvar: -1 to: 100000 delta 130 ==> srtt: 130 rttvar: 5000 to: 100000 Timeout vals: srtt: 553 rttvar: 959 to: 100000 delta -423 ==> srtt: 500 rttvar: 825 to: 100000 RCVD (5.8960s) ARP reply 172.30.0.254 is-at 00:14:C2:44:8B:72 Timeout vals: srtt: -1 rttvar: -1 to: 100000 delta 94 ==> srtt: 94 rttvar: 5000 to: 100000 Timeout vals: srtt: 500 rttvar: 825 to: 100000 delta -406 ==> srtt: 449 rttvar: 720 to: 100000 [end logfile] Note: the assertion failed entry starts in the middle of a normal "-1" in that line, i guess because of the 2>&1 output. I did check scan_engine.cc on that line and yes, there's an assert there in case 3 if's fail: /* Like ultrascan_port_probe_update(), except it is called with just a probespec rather than a whole UltraProbe. Returns true if the port was added or at least the state was changed. */ static bool ultrascan_port_pspec_update(UltraScanInfo *USI, HostScanStats *hss, const probespec *pspec, int newstate) { u16 portno; u8 proto = 0; int oldstate = PORT_TESTING; Port *currentp; bool swappingport = false; /* Whether no response means a port is open */ bool noresp_open_scan = USI->noresp_open_scan; if (USI->prot_scan) { proto = IPPROTO_IP; portno = pspec->proto; } else if (pspec->type == PS_TCP) { proto = IPPROTO_TCP; portno = pspec->pd.tcp.dport; } else if (pspec->type == PS_UDP) { proto = IPPROTO_UDP; portno = pspec->pd.udp.dport; } else assert(0); Ok, i'm not familiar with nmap sources, but why does it do a port update since it's a ARP Scan? I searched on google for similar errors, but all i could find is a post about the same problem in nmap 4.01 since March 2006 on this same list, however it looks nobody answered on the list: http://seclists.org/nmap-dev/2006/q1/0385.html Before using 4.20, i got the same error on 4.00, but on line 1828. Thank you for your time. -- Valentin AVRAM Project Team Leader IT Security Engineer GECAD NET web: www.gecadnet.ro ------------------------------------ Informatiile continute in acest mesaj sunt confidentiale si protejate de lege. Validitatea lor este limitata la 7 zile din momentul trimiterii mesajului. Informatiile din acest mesaj trebuie folosite doar de individul sau entitatea careia i-au fost adresate. Daca nu sunteti destinatarul real al acestui mesaj, sunteti instiintat pe aceasta cale ca dezvaluirea, copierea sau distribuirea informatiilor continute in acest mesaj este strict interzisa. GECAD Net nu este responsabila pentru nici o problema aparuta in transmiterea informatiilor continute in acest mesaj si nici pentru intarzierile care ar aparea in receptionarea acestuia. _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- assert triggered in scan_engine.cc Valentin Avram (Mar 13)