Nmap Development mailing list archives

Re: Payload Hexdump in --packet-trace and -d4 output

From: jrf <jay.fink () gmail com>
Date: Wed, 2 Jun 2010 15:52:33 -0400

Hi Luis, 

I replied in kind.

On Wed, Jun 02, 2010 at 09:31:11PM +0200, Luis MartinGarcia. wrote:

I think letting users see the hex dump is a really good idea. Nping does
this already if verbosity level is high enough. As far as I know, Nmap
is supposed to print the hexdump of captured packets, but I've been
testing it and it doesn't (we'll have to check with David).


I claim patent protection as I didn't look :D
Just kidding, I will look at this but I think there might be some
subtle difference.

However, what I was going to say is that there is already a function in
nmap that lets you print the raw hex of a buffer. I wrote a a generic
function for nbase called hexdump() and then, there is a wrapper for it
in nmap/utils.cc, called nmap_hexdump().

So, maybe it's better to use nmap_hexdump() instead of your
implementation because this has been discussed already [1].


Definitely yes, again I didn't look - I literally took David's code
and copied it. I think the difference might be that in print_hexdump
we are printing the length too? But I will need to take a closer look.

Apart from that, I'd like to know your opinion on this. Do you think we
should just print the payload, or better print the whole packets that
Nmap sends? Maybe we could add a call to nmap_hexdump() right before
calling functions like send_ip_packet() or maybe even inside those
functions (as they already depend on the NmapOps object, and therefore
are not reusable for the other tools. What do you guys think? pros and cons?


That is a good question. I tend to go with the Unix philosophy of be
as loud as we want. In other words make printing the payload one level
and the entire packet another.

So for instance (but not authortatively (sp?)):
 --packet-trace -d4 would do UDP payload 
 --packet-trace -d5 (or some higher number) would do UDP payload +
full packet.

Thanks!
 j

On 06/02/2010 07:24 PM, jrf wrote:

All,

Attached is a patch of perhaps limited interest. While testing the
payloads from a file code David wrote a nice print function to dump
out the UDP payload. I thought it would be cool if we could include
this as part of a trace/debug output. I adapted David's function and
have attached it for anyone interested. Note this should be printing
all UDP payloads not just those we load up from the file. 

Per David's suggestion to invoke this type:

 nmap -sU --packet-trace -d4 [host[s] spec]

For speedier test results I suggest using --top-ports<=64

Comments, suggestions, bricks all welcome.


Thanks,
 j

Index: utils.h
===================================================================
--- utils.h     (revision 17780)
+++ utils.h     (working copy)
@@ -240,4 +240,5 @@
 int win32_munmap(char *filestr, int filelen);
 #endif /* WIN32 */
 
+void print_hexdump(const unsigned char *data, size_t len); /* XXX jrf
UDPPrint */
 #endif /* UTILS_H */
Index: utils.cc
===================================================================
--- utils.cc    (revision 17780)
+++ utils.cc    (working copy)
@@ -925,3 +925,32 @@
 }
 
 #endif
+
+/* XXX jrf - UDP Printer */
+void print_hexdump (const unsigned char *data, size_t len) {
+  unsigned int i, j;
+
+  i = 0;
+  while (i < len) {
+    printf("%04X ", i);
+    for (j = 0; j < 16; j++) {
+      if (j == 8)
+        printf(" ");
+      if (i + j < len)
+        printf(" %02X", data[i + j]);
+      else
+        printf("   ");
+    }
+    printf("  ");
+    for (j = 0; j < 16; j++) {
+      if (j == 8)
+        printf(" ");
+      if (i + j < len)
+        printf("%c", isprint(data[i + j]) ? data[i + j] : '.');
+      else
+        printf(" ");
+    }
+    i += j;
+    printf("\n");
+  }
+}
Index: scan_engine.cc
===================================================================
--- scan_engine.cc      (revision 17780)
+++ scan_engine.cc      (working copy)
@@ -3193,6 +3193,10 @@
 
     payload = get_udp_payload(pspec->pd.udp.dport, &payload_length);
 
+    /* XXX jrf UDP payload print */
+    if ((o.packetTrace()) && (o.debugging > 3)) 
+      print_hexdump((unsigned char *) payload, payload_length);
+
     for(decoy = 0; decoy < o.numdecoys; decoy++) {
       packet = build_udp_raw(&o.decoys[decoy],
hss->target->v4hostip(),
                             o.ttl, ipid, IP_TOS_DEFAULT, false,

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Payload Hexdump in --packet-trace and -d4 output jrf (Jun 02)
- Re: Payload Hexdump in --packet-trace and -d4 output Luis MartinGarcia. (Jun 02)
  - Re: Payload Hexdump in --packet-trace and -d4 output jrf (Jun 02)
    - Re: Payload Hexdump in --packet-trace and -d4 output jrf (Jun 02)
    - Re: Payload Hexdump in --packet-trace and -d4 output David Fifield (Jun 02)
    - Re: Payload Hexdump in --packet-trace and -d4 output jrf (Jun 02)