nmap sending encapsulated packets

["Mike Lude" <mlude () pacbell net>]

I downloaded and installed the latest Windows build, and immediately 
had problems with "You requested a scan type which requires that 
WinPcap version 3.1 or higher and iphlpapi.dll be installed." 
messages. I fixed this by downloading and installing the latest 
WinPCap so I guess the nmap installer had some undetected problem.

Now with almost any scan I do (for example, 
nmap -T Aggressive -O -v 192.168.155.22) 
it says that it can't find the host, and when I add the suggested -PN 
parameter it lists all ports as filtered, even though I have a 
perfectly accessible webserver running on the host to be scanned.

So, I break out wireshark to see what's going on, and trace what nmap 
is sending and what I am receiving at the host. Every single outgoing 
packet is encapsulated, with a protocol of 0xFF. Here's a hex dump of 
the first packet sent:

0000  9c f4 20 00 03 00 03 00  03 00 00 00 08 00 45 00   
0010  00 3c 94 91 00 00 80 ff  ed 8c c0 a8 9b 3d c0 a8   
0020  9b 16 45 00 00 28 71 62  00 00 2c 06 65 c9 c0 a8   
0030  9b 3d c0 a8 9b 16 d3 0d  00 50 79 f3 1a 0a 00 00   
0040  42 ba 50 10 04 00 4a 1a  00 00                     

This matches exactly with what I see on the host being scanned.

This explains the "filtered" messages (the scanned host dropped all 
of the packets on the floor due to unrecognized protocol) but I've 
clearly got something very screwed up. What am I doing wrong?

Again, I'm on WinXP SP2 with all of the latest fixes.

/Mike Ludé

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org