MacOS X 10.6.4 - pcap reception via NSE not working?

[Jean Mousinho <jean.mousinho () gmail com>]

Greetings,
I was trying to use pcap in a NSE script but after some hours of
trial-and-fail I still don't understand what I'm I doing wrong.

- I'm using a BFP filter "tcp", the callback returns "A" always.
- Using a paralel tcpdump process, I watch packets being send and
received but they are not received by the script.
- I also see the initial port SYN scan, meaning nmap is does receive
packets from pcap I guess.
- Idea was to simply receive a packet from pcap...get it working

The script is something like:
    local pcap = nmap.new_socket()
    try(dnet:ip_open())
    pcap:pcap_open(host.interface, 64, 0, callback, "tcp")
    pcap:set_timeout(500)
    pcap:pcap_register("A")
    try(dnet:ip_send(pckSend.buf))
    status, packsz, layer2, layer3, time = pcap:pcap_receive()

pcap_receive returns timeout.

TCPDUMP output is:

23:57:12.590717 IP 127.0.0.1.34358 > 127.0.0.1.22: Flags [S], seq
2187186706, win 1024, options [mss 1460], length 0
23:57:12.590788 IP 127.0.0.1.22 > 127.0.0.1.34358: Flags [S.], seq
17433803, ack 2187186707, win 65535, options [mss 16344], length 0
23:57:12.590796 IP 127.0.0.1.34358 > 127.0.0.1.22: Flags [R], seq
2187186707, win 0, length 0
23:57:12.604284 IP 127.0.0.1.49769 > 127.0.0.1.22: Flags [S], seq
984943659, win 4096, options [mss 1460], length 0
23:57:12.604354 IP 127.0.0.1.22 > 127.0.0.1.49769: Flags [S.], seq
295133620, ack 984943660, win 65535, options [mss 16344], length 0
(**)
23:57:12.604361 IP 127.0.0.1.49769 > 127.0.0.1.22: Flags [R], seq
984943660, win 0, length 0 (**)

These packets (**) are not received by pcap_receive...

I've seen some posts in the list refering to timeout issues in MacOS
and suggesting some work-arounds.
- The version I'm using is 5.35DC1 (from the binary installer, .dmg)
- Tried 5.21 but it results in error due to ip_open() not being defined.
- Tried timeout > and < than 1000.
- I assume the nmap binary is 32bit since "file" said it was x386 only
(besides ppc).
- All the /dev/bf* files are u=root, g=wheel, with permission crw on owner.


The nmap -d9 output is:


...
Packet capture filter (device lo0): dst host 127.0.0.1 and (icmp or
((tcp or udp or sctp) and (src host 127.0.0.1)))
...
SENT (0.1280s) TCP [127.0.0.1:61745 > 127.0.0.1:22 S seq=2502645690 ack=0 off...
...
RCVD (0.1280s) TCP [127.0.0.1:61745 > 127.0.0.1:22 S seq=2502645690 ack=0...
...
RCVD (0.1280s) TCP [127.0.0.1:22 > 127.0.0.1:61745 SA seq=1895029329
ack=2502645691 off=6...
...
NSE: Starting 'teste0' (thread: 0x619880) against 127.0.0.1:22.
NSOCK (0.1090s) PCAP requested on device 'lo0' with berkeley filter
'tcp' (promisc=0 snaplen=64 to_ms=357913941) (IOD #1)
NSOCK (0.1090s) PCAP created successfully on device 'lo0' (pcap_desc=5
bsd_hack=1 to_valid=1 l3_offset=4) (IOD #1)
NSOCK (0.1090s) Pcap read request from IOD #1  EID 13
SENT (0.1400s) TCP [127.0.0.1:49769 > 127.0.0.1:22 S seq=984943659
ack=0 off=6 res=0 win=4096 csum=0x80C4 urp=0 <mss 1460>] IP [ver=4
ihl=5 tos=0x00 iplen=44 id=21969 foff=0 ttl=128 proto=6 csum=0xe6f8]
NSOCK (0.1400s) nsock_loop() started (timeout=50ms). 1 events pending
NSOCK (0.6100s) Callback: READ-PCAP TIMEOUT for EID 13
NSE: failed to receive
...
Nmap done: 1 IP address (1 host up) scanned in 0.61 seconds
           Raw packets sent: 2 (88B) | Rcvd: 2 (88B)

Also I did test ipidseq script, being one also using pcap, and failed
with the same reason, all pcap_receive()'s got timeout although
TCPDUMP is showing me that packets are being replied.

I'll post any additional info/log if required... if you've any
suggestion please tell me.

Thanks.

Jean Mousinho
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/