Nmap Development mailing list archives

Re: [NSE] qscan first read timeout value too short?

From: "Luis MartinGarcia." <luis.mgarc () gmail com>
Date: Thu, 19 Aug 2010 16:27:03 +0200

On 08/07/2010 12:52 AM, David Fifield wrote:


Do you think it's related to this recent message?

Nsock has trouble handling pcap reads on Windows
http://seclists.org/nmap-dev/2010/q3/232

Luis found that pcap reads on Windows were not being polled often
enough.  His patch was applied in r19487, so you should have the fix
already. Luis, you mentioned to me that you confirmed the bug existed
with NSE also. Can you reproduce this behavior with qscan?


Hi, David,

Sorry for my late reply. I didn't read your message until now.

I did confirm that the bug also affected NSE but I had to cheat a bit in
order to obtain clear results. A quick explanation is at the end of this
email [1].

About Qscan, I can't try to reproduce it right now, but I don't think is
related. The bug I traced did not cause packet loss, it just caused a
delay on its detection. This is a long shot but I think what we are
dealing with here is that the script sends a probe, but pcap is not
ready by the time we receive the first reply.

Also, after a very quick look to the script I see that qscan.nse
performs certain operations in a different order than ipidseq.nse.  Jah,
would you try the patch I attach? Sorry if the patch looks absurd, but
my experience with NSE is close to zero.

Regards,


Luis MartinGarcia.


[1] The thing is that in nse_main.lua::779 you find this:

cnse.nsock_loop(50);

What this means, is that NSE uses nsock_loop() with a hardcoded 50ms
timeout. This low value made the bug unnoticeable, because captured
packets were being detected in less than 50ms. The bug showed up in
Nping, because by default it does 1000ms nsock_loop() calls, so from the
user's perspective, it's pretty clear that if the packet takes 1 second
to show up on screen, something is wrong.

So for my tests (which only covered ipidseq.nse) I set the timeout in
NSE to 5000ms. That way I could see how the caputred packets were not
being "detected" until the nsock_loop() call timed out. Output I got is
here:
<http://seclists.org/nmap-dev/2010/q3/att-265/nmap_script_ipidseq_before.txt>

Attachment: qscan_losses.diff
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[NSE] qscan first read timeout value too short? jah (Aug 06)
- Re: [NSE] qscan first read timeout value too short? David Fifield (Aug 06)
  - Re: [NSE] qscan first read timeout value too short? jah (Aug 06)
  - Re: [NSE] pcap first read times out with sub second read timeouts jah (Aug 19)
  - Re: [NSE] qscan first read timeout value too short? Luis MartinGarcia. (Aug 19)
    - Re: [NSE] qscan first read timeout value too short? jah (Aug 20)
    - Re: [NSE] qscan first read timeout value too short? David Fifield (Aug 23)
    - Re: [NSE] qscan first read timeout value too short? jah (Aug 24)
    - Re: [NSE] qscan first read timeout value too short? David Fifield (Aug 25)
    - Re: [NSE] qscan first read timeout value too short? David Fifield (Aug 25)