Re: suggestion to nping

["Luis MartinGarcia." <luis.mgarc () gmail com>]

Hi Andreas,

Yes, Nping always returns 0 in that case because no matter what the
state of the target host was, the execution was successful. It only
returns 1 when an actual error was found (some command-line argument was
wrong, some syscall failed, etc).

What you can do is to parse Nping's output. Let me show you an example.

I set up an instance of ncat on one side so it listens on port 9999
(ncat -l 9999 -k -vv -C). Then I just tell nping to send TCP SYN packets
to port 9999. Obviously, as ncat is listening on port 9999, TCP SYN
packets get TCP SYN|ACK packets in reply. However, if I kill the ncat in
the middle of the proccess, we don't get SYN|ACK's anymore, we just get
SYN|RST. Here is the output (I ran both programs in parallel, of course):


luis@Aberdeen:~$ ncat -l 9999 -k -vv -C
Ncat: Version 5.21 ( http://nmap.org/ncat )
Ncat: Listening on 0.0.0.0:9999
^C
luis@Aberdeen:~$


luis@Aberdeen:~$ sudo nping localhost -p9999 --tcp -c0

Starting Nping 0.5.30BETA1 ( http://nmap.org/nping ) at 2010-04-06 10:04
CEST
SENT (0.0670s) TCP 127.0.0.1:1746 > 127.0.0.1:9999 S ttl=64 id=13695
iplen=40  seq=824123127 win=1480
RCVD (0.0670s) TCP 127.0.0.1:9999 > 127.0.0.1:1746 SA ttl=64 id=0
iplen=44  seq=1776595668 win=32792 <mss 16396>
SENT (1.0660s) TCP 127.0.0.1:1746 > 127.0.0.1:9999 S ttl=64 id=50478
iplen=40  seq=824123127 win=1480
RCVD (1.0670s) TCP 127.0.0.1:9999 > 127.0.0.1:1746 SA ttl=64 id=0
iplen=44  seq=1792211320 win=32792 <mss 16396>

[ HERE IS WHEN I PRESSED CTRL-C IN NCAT ]

SENT (2.0680s) TCP 127.0.0.1:1746 > 127.0.0.1:9999 S ttl=64 id=65404
iplen=40  seq=824123127 win=1480
RCVD (2.0680s) TCP 127.0.0.1:9999 > 127.0.0.1:1746 RA ttl=64 id=0
iplen=40  seq=0 win=0
SENT (3.0690s) TCP 127.0.0.1:1746 > 127.0.0.1:9999 S ttl=64 id=54997
iplen=40  seq=824123127 win=1480
RCVD (3.0690s) TCP 127.0.0.1:9999 > 127.0.0.1:1746 RA ttl=64 id=0
iplen=40  seq=0 win=0
SENT (4.0700s) TCP 127.0.0.1:1746 > 127.0.0.1:9999 S ttl=64 id=19692
iplen=40  seq=824123127 win=1480
RCVD (4.0700s) TCP 127.0.0.1:9999 > 127.0.0.1:1746 RA ttl=64 id=0
iplen=40  seq=0 win=0
^C
Max rtt: 0.099ms | Min rtt: 0.076ms | Avg rtt: 0.081ms
Raw packets sent: 5 (200B) | Rcvd: 5 (208B) | Lost: 0 (0.00%)
Tx time: 4.66808s | Tx bytes/s: 42.84 | Tx pkts/s: 1.07
Rx time: 4.66807s | Rx bytes/s: 44.56 | Rx pkts/s: 1.07
Nping done: 1 IP address pinged in 4.74 seconds
luis@Aberdeen:~$


So, I'm sure one can come up with a way to grep nping's output or parse
it somehow and detect when the "SA" (SYN|ACK) turns into "RA" (RST|ACK),
or more probably, when we only see SENT packets (because no RST ACK
doesn't come back to us).

All you need is to figure out a regular expression in a smart way so you
can  "$: nping | grep | whatever" and get the desired result.

Hope this helps.

Regards,

Luis MartinGarcia.





On 04/06/2010 09:42 AM, Andreas Hubert wrote:
> Hi Luis,
>
> thanks that could help!
> But I am always thinking, how I could use this new tool, to check and
> report specific hosts and their ports.
> For example, this -c0 could help, if I want to watch a specific host
> spontaneous, like waiting till the connection to it is possible.
> The other thing what would be interesting, is to monitor a specific
> hosts, while it's open port is just sometimes closed, because of some
> service problems. Therefore it would be good, to use nping in scripts.
> For example
> nping -p 22 somehost || echo this host is down | mailx -s "host is down"
> ahu () censhare de
> But now nping always returns exit code 0, because no matter if the port
> was open or not, nping ran without an error.
> Maybe there are other plans or ideas for nping and the best for me would
> be something like
> nping -p 22 --mailerr ahu () censhare de somehost
> That if an connection error would appear, nping would send an E-Mail to
> me, with the statistic of the executed nping!
>
> Thanks
> Andreas
>
> Am 04.04.10 13:37, schrieb Luis MartinGarcia.:
>   
> > Hi Andreas,
> >
> > I've just commited a patch that should let you specify "--count 0" or
> > "-c0" so Nping runs almost indefinitely, (for 2^32 rounds actually). You
> > probably want to combine this with the --rate or --delay options to
> > adjust how often packets get sent. I hope this helps.
> >
> > Regards,
> >
> > Luis MartinGarcia.
> >
> >
> >
> >
> >
> > On 03/31/2010 07:39 PM, Andreas Hubert wrote:
> >   
> >     
> > > nping is a really interesting tool for me, because right from the start,
> > > it does not only send one packet it sends 5 like a usual ping on Windows
> > > for example. But till now I did not found an option to send several
> > > packets till the process gets cancelled, like ping on Linux or Mac OS X.
> > > Because now if I wanna watch something, if a port is open or something,
> > > I need to build a loop around nmap, like
> > > while true; do nmap -PN -p 22 <host>; done
> > > to constantly check if port 22 is open on a specific host. It would be
> > > very good if in the future a
> > > nping -p 22 <host>
> > > would do this and give me stats for this after I ^C the process
> > >
> > > _______________________________________________
> > > Sent through the nmap-dev mailing list
> > > http://cgi.insecure.org/mailman/listinfo/nmap-dev
> > > Archived at http://seclists.org/nmap-dev/
> > >
> > >   
> > >     
> > >       
> >   
> >     
>
>   

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/