Nmap Development mailing list archives
Re: Raw IP NSE Functionality
From: David Fifield <david () bamsoftware com>
Date: Tue, 23 Feb 2010 20:43:29 -0700
On Tue, Feb 23, 2010 at 03:00:17PM -0600, Kris Katterjohn wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/23/2010 01:39 PM, Patrick Donnelly wrote:Ok this patch wasn't quite right. I've attached a new one but I'm getting some strange C++ segfault I can't figure out. I'm not going to devote any more time to this since Kris has a viable patch already committed.Ah, yes, sorry about not mentioning this before you posted. I wanted to put it in there before I got busy today (i.e. right after I committed). I didn't mention it yet because I ended up finding a bug and wanted to investigate first. I don't know if my script is somehow wrong, if it's a bug in the pcap reading, or something entirely different. Using ipidseq on multiple hosts at the same time (hostgroup) somehow gives my script a packet with the same ipid as (what appears to be) the first packet read from the first host read from in the group. It's only the first one, the others are ipids from the real host. This sounds horribly confusing after I read it, so here's something better than my explanation (stripped Nmap output with some debugging in script): NSE: Starting ipidseq against 192.168.10.4. NSE: Starting ipidseq against 192.168.10.3. got ipid 49992 from 192.168.10.4:21 got ipid 49992 from 192.168.10.3:80 got ipid 49994 from 192.168.10.3:80 got ipid 38558 from 192.168.10.4:21 got ipid 49996 from 192.168.10.3:80 got ipid 38559 from 192.168.10.4:21 got ipid 49998 from 192.168.10.3:80 got ipid 38560 from 192.168.10.4:21 got ipid 50000 from 192.168.10.3:80 got ipid 38561 from 192.168.10.4:21 got ipid 50002 from 192.168.10.3:80 ipid #1 = 49992 ipid #2 = 49994 ipid #3 = 49996 ipid #4 = 49998 ipid #5 = 50000 ipid #6 = 50002 NSE: Finished ipidseq against 192.168.10.3. got ipid 38562 from 192.168.10.4:21 ipid #1 = 49992 ipid #2 = 38558 ipid #3 = 38559 ipid #4 = 38560 ipid #5 = 38561 ipid #6 = 38562 NSE: Finished ipidseq against 192.168.10.4. Nmap scan report for 192.168.10.3 Host script results: |_ipidseq: Incremental! [used port 80] Nmap scan report for 192.168.10.4 Host script results: |_ipidseq: Randomized [used port 21] Notice the same "ipid #1" lines for the hosts.
I'm seeing this too. === 192.168.0.190:22 C0A800BE -> C0A80015 id 6583 === 192.168.0.1:23 C0A800BE -> C0A80015 id 6583 === 192.168.0.190:22 C0A800BE -> C0A80015 id 9671 === 192.168.0.1:23 C0A80001 -> C0A80015 id 0 === 192.168.0.190:22 C0A800BE -> C0A80015 id 14775 === 192.168.0.1:23 C0A80001 -> C0A80015 id 0 === 192.168.0.190:22 C0A800BE -> C0A80015 id 48365 === 192.168.0.1:23 C0A80001 -> C0A80015 id 0 === 192.168.0.190:22 C0A800BE -> C0A80015 id 30125 === 192.168.0.1:23 C0A80001 -> C0A80015 id 0 === 192.168.0.190:22 C0A800BE -> C0A80015 id 60377 === 192.168.0.1:23 C0A80001 -> C0A80015 id 0 It doesn't happen every time. (The C0... above are IP addresses from the packets.) It seems to be related to the "cancelled" message here: NSOCK (0.2980s) PCAP requested on device 'eth0' with berkeley filter 'tcp and dst host 192.168.0.21 and src host 192.168.0.1 and src port 23' (promisc=0 snaplen=68 to_ms=200) (IOD #2) NSOCK (0.2980s) PCAP created successfully on device 'eth0' (pcap_desc=8 bsd_hack=0 to_valid=1 l3_offset=14) (IOD #2) SENT (1.6160s) TCP 192.168.0.21:8559 > 192.168.0.1:23 S ttl=128 id=21969 iplen=44 seq=2057940271 win=3072 <mss 1460> NSOCK (0.2980s) Pcap read request from IOD #2 EID 21 NSOCK (1.6160s) nsock_loop() started (timeout=50ms). 2 events pending NSOCK (1.6160s) Callback: READ-PCAP SUCCESS for EID 13 NSOCK (1.6160s) Event #21 (type READ-PCAP) cancelled That comes from nsock_event_cancel, called from ncap_request_set_result. It looks like the event is getting cancelled, but the result is still getting through somehow. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Raw IP NSE Functionality (Was Re: [NSE] Raw ethernet frame questions ...), (continued)
- Re: Raw IP NSE Functionality (Was Re: [NSE] Raw ethernet frame questions ...) Kris Katterjohn (Feb 17)
- error compiling 5.21 Mike Calmus (Feb 20)
- Re: error compiling 5.21 David Fifield (Feb 22)
- Re: error compiling 5.21 Mike Calmus (Feb 23)
- Re: Raw IP NSE Functionality (Was Re: [NSE] Raw ethernet frame questions ...) Patrick Donnelly (Feb 17)
- Re: Raw IP NSE Functionality (Was Re: [NSE] Raw ethernet frame questions ...) Kris Katterjohn (Feb 17)
- Re: Raw IP NSE Functionality David Fifield (Feb 23)
- Re: Raw IP NSE Functionality Patrick Donnelly (Feb 23)
- Re: Raw IP NSE Functionality Patrick Donnelly (Feb 23)
- Re: Raw IP NSE Functionality Kris Katterjohn (Feb 23)
- Re: Raw IP NSE Functionality David Fifield (Feb 23)
- Re: Raw IP NSE Functionality David Fifield (Feb 25)
- Re: Raw IP NSE Functionality Kris Katterjohn (Feb 25)
- pcap_register David Fifield (Feb 25)
- Re: pcap_register majek04 (Feb 26)
- Re: pcap_register Kris Katterjohn (Feb 26)
- Re: Raw IP NSE Functionality kx (Feb 25)
- Re: Raw IP NSE Functionality David Fifield (Feb 25)
- Re: Raw IP NSE Functionality Kris Katterjohn (Feb 26)