Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Behavior of traceroute with a non-responsive probe

From: David Fifield <david () bamsoftware com>
Date: Wed, 29 Jul 2009 13:18:09 -0600
Hi,

With the new ability to combine the -PN and -sP options, it has become
possible to run -PN -sP --traceroute. Traceroute gets its probe from the
ping and port scan results, and in this case there are none. It would
just quite with the message "no responsive probes."

Fyodor asked me to make it guess a probe in this case. I did this in
r14647, using the ICMP echo, the probe most likely to get a response in
the absence of additional information. There is a problem with this when
the target does not respond respond to the echo. The traceroute sends
probes with TTLs all the way up to its built-in maximum of 50, taking a
long time. www.microsoft.com is one host that doesn't respond to pings.

nmap -PN -sP --traceroute www.microsoft.com -n
TRACEROUTE (using proto 1/icmp)
HOP RTT   ADDRESS
1   0.77  192.168.0.1
2   38.76 206.81.73.81
3   38.65 206.81.73.82
4   39.28 66.54.149.185
5   39.73 63.211.250.17
6   39.15 4.68.107.190
7   40.05 4.69.132.37
8   59.33 4.69.132.106
9   54.55 4.69.145.208
10  ...
11  ...
    [Lots more lines]
49  ...
50  ...
! maximum TTL reached (50)
Nmap done: 1 IP address (1 host up) scanned in 2201.79 seconds

I propose the attached patch, which gives up after three or more probe
timeouts have occurred with hosts that don't respond to the probe. It
changes to above to

TRACEROUTE (using proto 1/icmp)
HOP RTT    ADDRESS
1   0.76   192.168.0.1
2   37.99  206.81.73.81
3   38.39  206.81.73.82
4   37.86  66.54.149.185
5   178.66 63.211.250.17
6   42.03  4.68.107.190
7   39.11  4.69.132.37
8   59.65  4.69.132.106
9   53.16  4.69.145.208
10  ...
11  ...
12  ...
13  ...
! destination not reached (207.46.19.190)
Nmap done: 1 IP address (1 host up) scanned in 300.51 seconds

This would give false results if there was a long string of hosts in the
route that don't send time exceeded messages.

David Fifield

Attachment: traceroute-unknown-limit.diff
Description: 


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: