Re: Status Report #16 of 17

["Luis M." <luis.mgarc () gmail com>]

Hi Jack,

Thanks a lot for looking into the problem. However, the thing is a bit
complicated. On one hand we have to allow ICMP packets from any host to
pass the BPF filter because we may get a destination unreachable message
from any box in the network. On the other hand, we want to keep per-IP
statistics and these probably include having stats from all the hosts
that send replies (we probably want to do reverse DNS resolution for
hosts that were not our original targets) .

If i got it right, your patch tries to determine the destination address
that the original IP datagram had. That is a good idea but I don't think
we should count dest unreachable msgs sent by other hosts as if we had
received them from our target. That would give us the false idea that
the target is actually replying to our probes.

What I think we should do (and I'm telling you because I'd like to know
your opinion on that) is have a separate target array so whenever we
receive an ICMP error message from a host different than our original
targets, we add an entry for it and update it's packet count. Does this
make sense?

Also, we could use your getIcmpDestAddrFromPacket() function to add new
information to the newly created host like which destination was it that
was unreachable, etc. (Well, I'll have to modify your code to include
ipv6 support and add stricter bound checks as IPv4 headers may have
options so we cannot always get the original dest IP from offset pkt+44).

Please let me know what you think.

Again, thanks for your help.

Regards,

Luis.










Jack Grahl wrote:
> Regarding detecting the right ICMP packets. The following patch worked for me, but with one problem. When printing 
> stats at the end, every ICMP packet, not just the relevant ones, was included in the RCVD stats for all targets 
> combined, although the individual host stats were correct. This is because addRecvPacket is called in line 1613 just 
> above the part I changed, regardless of the packet.
>
> I'm not sure how best to fix that, IF this is right solution.
>
> Jack
>
> --- nping/nping.cc      2009-08-11 00:00:33.000000000 +0100
> +++ nping-build/nping.cc        2009-08-09 11:54:14.000000000 +0100
> @@ -174,6 +174,7 @@
>  int do_safe_checks();
>  void test_stuff();
>  struct sockaddr_storage *getSrcSockAddrFromPacket(u8 *pkt, size_t pktLen);
> +struct sockaddr_storage *getIcmpDestAddrFromPacket(u8 *pkt, size_t pktLen);
>  u16 *getSrcPortFromPacket(u8 *pkt, size_t pktLen);
>  u8 *getTCPheaderLocation(u8 *pkt, size_t pktLen);
>  
> @@ -1619,7 +1620,11 @@
>                          trg->setProbeRecvTCP(*prt, 0);
>                  }
>              }else if (o.getMode()==ICMP){
> +             if(trg != NULL){
>                  trg->setProbeRecvICMP(0, 0);
> +             }else if (trg=o.targets.findTarget( getIcmpDestAddrFromPacket((u8*)packet, packetlen))){
> +               trg->setProbeRecvICMP(0, 0);
> +             }
>              }
>         break;
>  
> @@ -1857,6 +1862,25 @@
>  } /* End of getSrcSockAddrFromPacket() */
>  
>  
> +/** @warning Returns pointer to an internal static buffer */
> +struct sockaddr_storage *getIcmpDestAddrFromPacket(u8 *pkt, size_t pktLen){
> +
> +static struct sockaddr_storage ss;
> +struct sockaddr_in *s_ip4=(struct sockaddr_in *)&ss;
> +struct ip *i4=(struct ip*)pkt;
> +memset(&ss, 0, sizeof(struct sockaddr_storage));
> +
> +  if(pkt==NULL || pktLen < 48)
> +    return NULL;
> +
> +    s_ip4->sin_family=AF_INET;
> +    memcpy(&(s_ip4->sin_addr.s_addr), pkt+44, 4);
> +
> +  return &ss;
> +
>
>
>       
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://SecLists.Org
>
>   


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org