Nmap Development mailing list archives
Re: Qscan in NSE: qscan.nse
From: Kris Katterjohn <katterjohn () gmail com>
Date: Sun, 21 Mar 2010 15:08:14 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/20/2010 11:10 PM, David Fifield wrote:
On Fri, Mar 19, 2010 at 12:09:20PM -0500, Kris Katterjohn wrote:So any report on how the script is actually working? If more changes are wanted, I'll stick it in nmap-exp/kris somewhere to avoid any more attachments.It looks good to commit to me, just with some more documentation. Most important is a section on how to interpret the results. Explain what it means for ports to be in different "families." Document what the units are in the MEAN column (milliseconds?), or even better, just put "ms" in the output table. There should be a paragraph explaining what's going on: mean and stddev of RTT are calculated over multiple sends to a port. I don't think a reference to the Student's t-test is out of place, as long as it's not in the first paragraph. Also mention that it tests both open and closed ports--that surprised me at first.
OK, these changes sound good and I've committed the updated script. Here's the description now: Repeatedly probe open and/or closed ports on a host to obtain a series of round-trip time values for each port. These values are used to group collections of ports which are statistically different from other groups. Ports being in different groups (or "families") may be due to network mechanisms such as port forwarding to machines behind a NAT. In order to group these ports into different families, some statistical values must be computed. Among these values are the mean and standard deviation of the round-trip times for each port. Once all of the times have been recorded and these values have been computed, the Student's t-test is used to test the statistical significance of the differences between each port's data. Ports which have round-trip times that are statistically the same are grouped together in the same family. This script is based on Doug Hoyte's Qscan documentation and patches for Nmap.
Oh, and the script arguments should be qualified with a "qscan." prefix.
I assume you mean just in the docs, which I did update. In ipidseq and qscan I do like this to handle args (I don't know what others do): for _, k in ipairs({"qscan.confidence", "confidence"}) do if nmap.registry.args[k] then conf = tonumber(nmap.registry.args[k]) break end end
David Fifield
Cheers, Kris Katterjohn -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIcBAEBAgAGBQJLpnytAAoJEEQxgFs5kUfuQzwP/1nKET1QpGHX0JMZTMTkDsUw gCFH+m354swOmtvnVyrEoliEkE7hBeFzQSq78sxOOxXd/Y2Bg4wfucHOjn8NO28h lS9JSJo6rLvmhWUDSWWjb/etqnHK4Nfv0RlbafiAPfRRhYe/q1d0KIkfp6EkVNMM QLf7HQ4QqVcIdsvnMFj/KMqa00uX/rJ7KWrA5WbbsH1dFkdqEA9lWp2pgMivojdO G3v526+RYWQjaycj9r9/xBDsgILVF6Qm+JEDiaBRNbGAjTmSvwiO9p6fKfHkQXNC 87Z8p1PpfpBsYbZIZODE7of3evRGS8LzvLDIJIMcEmQMyKHE/YmQ+rKdJZR6L4BE OY1qkbD4y0m33YY9tLNgHIkbSeraBxDOMA2keQbRQIusV5Rh55kC8JTvQ3mDrP99 gyCOJR/+4YY7aZqEZnf8M23tRWrciaZjSunfYiSSf0yvFfI4aqvAWG16+Zaj1qlk PDYfIL2QuuA2zrImcmfgD52Rpr32T87kxh51Bywk7CkpWENIsCrEiNy5BqV+WwUY IaR2eyec+Iz/cIluRs8QGym+c/OQo00vp1I/OfYFhJwrROhltsFMtPEOKUi+Fv9X HLi6JaByQXKEwvX3WL2mjlEaHcC4t9RDJy4YAdQ9BcdNgBhtK+HpjziJFLZPe32o pOXX+c0uqi2bxWhPs27m =o1D/ -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [NSE] script idea: identify ports behind a NAT, (continued)
- Re: [NSE] script idea: identify ports behind a NAT Kris Katterjohn (Mar 17)
- Qscan in NSE: qscan.nse Kris Katterjohn (Mar 17)
- Re: Qscan in NSE: qscan.nse Kris Katterjohn (Mar 17)
- Re: Qscan in NSE: qscan.nse Ron (Mar 17)
- Re: Qscan in NSE: qscan.nse Kris Katterjohn (Mar 17)
- Re: Qscan in NSE: qscan.nse Ron (Mar 18)
- Re: Qscan in NSE: qscan.nse Fyodor (Mar 20)
- Re: Qscan in NSE: qscan.nse Ron (Mar 19)
- Re: Qscan in NSE: qscan.nse Kris Katterjohn (Mar 19)
- Re: Qscan in NSE: qscan.nse David Fifield (Mar 20)
- Re: Qscan in NSE: qscan.nse Kris Katterjohn (Mar 21)
- Re: Qscan in NSE: qscan.nse Arturo 'Buanzo' Busleiman (Mar 20)
- Re: Qscan in NSE: qscan.nse Arturo 'Buanzo' Busleiman (Mar 18)
- Re: Qscan in NSE: qscan.nse doug (Mar 20)
- Re: Qscan in NSE: qscan.nse Arturo 'Buanzo' Busleiman (Mar 20)
- Re: Qscan in NSE: qscan.nse Kris Katterjohn (Mar 21)
- Qscan against localhost David Fifield (Mar 20)
- Re: Qscan in NSE: qscan.nse jah (Mar 21)
- Re: Qscan in NSE: qscan.nse Kris Katterjohn (Mar 21)
- Re: Qscan in NSE: qscan.nse jah (Mar 22)
- Re: Qscan in NSE: qscan.nse Ron (Mar 22)