Nmap Development mailing list archives
Re: BUG: nping overflow
From: David Fifield <david () bamsoftware com>
Date: Fri, 23 Apr 2010 07:20:58 -0600
On Mon, Apr 19, 2010 at 11:36:28PM +0200, miniBill wrote:
Version: 0.5.30BETA1 [compiled] OS:Ubuntu Lucid Lynx [with a personalized set of packets installed] How to reproduce: ============= ./nping --udp -p 53 felix.nmap.org --wait a few seconds-- sudo ./nping --udp -p 53 felix.nmap.org What happens: =========== The first nping signals a 100% loss [apparently being unprivileged means I get no packets]. The second run gets the packets of the first run [just guessing] and goes overflow
Here's what your logs show: $ ./nping --udp -p 53 felix.nmap.org Starting Nping 0.5.30BETA1 ( http://nmap.org/nping ) at 2010-04-19 23:12 CEST SENT (0.0000s) UDP packet with 4 bytes to felix.nmap.org:53 (64.13.134.48:53) SENT (1.0010s) UDP packet with 4 bytes to felix.nmap.org:53 (64.13.134.48:53) SENT (2.0020s) UDP packet with 4 bytes to felix.nmap.org:53 (64.13.134.48:53) SENT (3.0030s) UDP packet with 4 bytes to felix.nmap.org:53 (64.13.134.48:53) SENT (4.0040s) UDP packet with 4 bytes to felix.nmap.org:53 (64.13.134.48:53) $ sudo ./nping --udp -p 53 felix.nmap.org Starting Nping 0.5.30BETA1 ( http://nmap.org/nping ) at 2010-04-19 23:13 CEST SENT (0.0080s) UDP 192.168.1.4:53 > 64.13.134.48:53 ttl=64 id=52878 iplen=28 RCVD (0.0080s) UDP 192.168.1.4:53 > 64.13.134.48:53 ttl=64 id=52878 iplen=28 RCVD (0.7630s) UDP 192.168.1.4:48180 > 216.239.36.10:53 ttl=64 id=37617 iplen=80 RCVD (0.8120s) UDP 192.168.1.4:54660 > 216.239.36.10:53 ttl=64 id=37618 iplen=80 RCVD (0.8640s) UDP 192.168.1.4:29937 > 216.239.32.10:53 ttl=64 id=1187 iplen=80 SENT (1.0070s) UDP 192.168.1.4:53 > 64.13.134.48:53 ttl=64 id=3127 iplen=28 RCVD (1.0070s) UDP 192.168.1.4:22781 > 216.239.34.10:53 ttl=64 id=10654 iplen=80 RCVD (1.0070s) UDP 192.168.1.4:17586 > 216.239.38.10:53 ttl=64 id=6261 iplen=80 SENT (2.0080s) UDP 192.168.1.4:53 > 64.13.134.48:53 ttl=64 id=59537 iplen=28 RCVD (2.0080s) UDP 192.168.1.4:53 > 64.13.134.48:53 ttl=64 id=3127 iplen=28 RCVD (2.0080s) UDP 192.168.1.4:48831 > 199.7.83.42:53 ttl=64 id=39759 iplen=71 I don't think anything is overflowing, nor is the second scan getting replies from the first. There are no replies, which is typical for UDP ping. Instead, it looks like Nping is not applying a restrictive enough packet filter, so it is printing UDP packets with destination port 53, regardless of source. The RCVD line here is picking up the same packet as in the SENT line, the one you sent: SENT (0.0080s) UDP 192.168.1.4:53 > 64.13.134.48:53 ttl=64 id=52878 iplen=28 RCVD (0.0080s) UDP 192.168.1.4:53 > 64.13.134.48:53 ttl=64 id=52878 iplen=28 The other RCVDs look like your machine making normal domain name queries to different servers. RCVD (0.7630s) UDP 192.168.1.4:48180 > 216.239.36.10:53 ttl=64 id=37617 iplen=80 RCVD (0.8120s) UDP 192.168.1.4:54660 > 216.239.36.10:53 ttl=64 id=37618 iplen=80 RCVD (0.8640s) UDP 192.168.1.4:29937 > 216.239.32.10:53 ttl=64 id=1187 iplen=80 RCVD (1.0070s) UDP 192.168.1.4:22781 > 216.239.34.10:53 ttl=64 id=10654 iplen=80 RCVD (1.0070s) UDP 192.168.1.4:17586 > 216.239.38.10:53 ttl=64 id=6261 iplen=80 RCVD (2.0080s) UDP 192.168.1.4:48831 > 199.7.83.42:53 ttl=64 id=39759 iplen=71 Those IP addresses are ns3.google.com (216.239.36.10) ns1.google.com (216.239.32.10) ns2.google.com (216.239.34.10) ns4.google.com (216.239.38.10) l.root-servers.net (199.7.83.42) So Luis, I think you want to check out the filter code. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- BUG: nping overflow miniBill (Apr 21)
- Re: BUG: nping overflow Luis MartinGarcia. (Apr 22)
- Re: BUG: nping overflow Luis Martin (Apr 22)
- Re: BUG: nping overflow David Fifield (Apr 23)
- Re: BUG: nping overflow miniBill (Apr 23)