Nmap Development mailing list archives
Re: dhcp script!
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Wed, 9 Sep 2009 00:10:20 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 8 Sep 2009 19:56:30 -0400 Walt Scrivens <walts () gate net> wrote:
OK this is the last one for tonight :-) I have a busy day tomorrow so I may not get back at this until Thursday.
This pcap file only contains a single packet (ICMP ECHO request).
Eliminating the -PN gets us a MAC address - but wouldn't that have come from the Ping Reply packet?
The MAC has to come from ARP which your OS did for you (probably from the ARP cache) because you used --send-ip.
Also I don't understand why the RST,ACK followed by RST between the Ping Reply and the Timestamp Reply.
This isn't in you pcap.
Also, sorry - I forgot to save only the filtered packets on the first few capture files. If you set a display filter ip.src==192.168.1.1 or ip.dst==192.168.1.1 That will clean things up a bit!
Wireshark has a shortcut for "ip.src==192.168.1.1 or ip.dst==192.168.1.1" which is "ip.addr == 192.168.1.1". Also, you can do "udp.port == 67" which will get both src and dst. Regarding your previous pcaps that had the two "malformed" packets. Those were the UDP probes from Nmap's -sU -p67 to try to see if 67 is open, not from Ron's script. Regarding the ICMP destination unreachable sent by your host, that is from your OS. Your OS doesn't know that you sent the DHCP request so when it sees a response it sends that back. It won't cause problems with the script. Regarding your first pcap that you did a DHCPDISCOVER in, the DHCPOFFER that came back looks good to me. It isn't clear why Ron's script didn't seem to see it. Regarding your second pcap that you did a DHCPDISCOVER in and a DHCPACK came back, the ACK went back to your request port, not port UDP/68. Ron's script is looking for a response back to UDP 68. I think Ron will be able to figure out why he didn't see the correct OFFER come back in your first pcap. Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (GNU/Linux) iEYEARECAAYFAkqm8nQACgkQqaGPzAsl94L4WgCgsbnqCDUkXFG3Tt6znnpln3TQ P4UAnjVPTWTsxXDdbU8rbpoHSIFcmkrI =kj6L -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Re: dhcp script!, (continued)
- Re: dhcp script! Walt Scrivens (Sep 08)
- Re: dhcp script! Ron (Sep 08)
- Re: dhcp script! Walt Scrivens (Sep 08)
- Re: dhcp script! David Fifield (Sep 08)
- Re: dhcp script! Walt Scrivens (Sep 08)
- Re: dhcp script! Ron (Sep 08)
- Re: dhcp script! Walt Scrivens (Sep 08)
- Re: dhcp script! Ron (Sep 08)
- Re: dhcp script! Walt Scrivens (Sep 08)
- Re: dhcp script! Walt Scrivens (Sep 08)
- Re: dhcp script! Brandon Enright (Sep 08)
- Re: dhcp script! Walt Scrivens (Sep 08)
- Re: dhcp script! Ron (Sep 08)
- Re: dhcp script! Walt Scrivens (Sep 08)
- Re: dhcp script! David Fifield (Sep 08)
- Re: dhcp script! Walt Scrivens (Sep 09)
- Re: dhcp script! David Fifield (Sep 09)
- Re: dhcp script! Brandon Enright (Sep 09)
- Re: dhcp script! Walt Scrivens (Sep 09)
- Re: dhcp script! Walt Scrivens (Sep 09)
- Re: dhcp script! Brandon Enright (Sep 09)
- Re: dhcp script! David Fifield (Sep 09)
- Re: dhcp script! Walt Scrivens (Sep 12)