Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Dealing with initial TTLs > 255

From: David Fifield <david () bamsoftware com>
Date: Wed, 20 Jun 2007 22:54:04 -0600
Fyodor and I noticed that some OS fingerprint submissions had a
calculated TTL that was greater than 255. Values of 256, 257, 258, and
even 263 have been submitted. Values like these indicate some sort of
network shenanigans. They also hinder OS detection, because while these
initial TTLs are probably supposed to be 255, they won't match prints in
the database with the value of 255.

r4950 in /nmap-exp/soc07/nmap deals with this. It caps too-large TTLs at
255 (the most likely value, I think). If any large TTLs are found, it
marks a fingerprint as unsuitable for submission, because something
strange is probably going on in the network.


After making this change, I found that some of the reference
fingerprints in nmap-os-db have a TTL greater than 255. This appears to
be a characteristic of Cisco IOS routers and switches, for one example.
It seems to be common enough that it's worth recording these too-large
TTLs. So I have reverted the change.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: