Nmap Development mailing list archives
Re: [NSE] qscan first read timeout value too short?
From: "Luis MartinGarcia." <luis.mgarc () gmail com>
Date: Thu, 19 Aug 2010 16:27:03 +0200
On 08/07/2010 12:52 AM, David Fifield wrote:
Do you think it's related to this recent message? Nsock has trouble handling pcap reads on Windows http://seclists.org/nmap-dev/2010/q3/232 Luis found that pcap reads on Windows were not being polled often enough. His patch was applied in r19487, so you should have the fix already. Luis, you mentioned to me that you confirmed the bug existed with NSE also. Can you reproduce this behavior with qscan?
Hi, David, Sorry for my late reply. I didn't read your message until now. I did confirm that the bug also affected NSE but I had to cheat a bit in order to obtain clear results. A quick explanation is at the end of this email [1]. About Qscan, I can't try to reproduce it right now, but I don't think is related. The bug I traced did not cause packet loss, it just caused a delay on its detection. This is a long shot but I think what we are dealing with here is that the script sends a probe, but pcap is not ready by the time we receive the first reply. Also, after a very quick look to the script I see that qscan.nse performs certain operations in a different order than ipidseq.nse. Jah, would you try the patch I attach? Sorry if the patch looks absurd, but my experience with NSE is close to zero. Regards, Luis MartinGarcia. [1] The thing is that in nse_main.lua::779 you find this: cnse.nsock_loop(50); What this means, is that NSE uses nsock_loop() with a hardcoded 50ms timeout. This low value made the bug unnoticeable, because captured packets were being detected in less than 50ms. The bug showed up in Nping, because by default it does 1000ms nsock_loop() calls, so from the user's perspective, it's pretty clear that if the packet takes 1 second to show up on screen, something is wrong. So for my tests (which only covered ipidseq.nse) I set the timeout in NSE to 5000ms. That way I could see how the caputred packets were not being "detected" until the nsock_loop() call timed out. Output I got is here: <http://seclists.org/nmap-dev/2010/q3/att-265/nmap_script_ipidseq_before.txt>
Attachment:
qscan_losses.diff
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] qscan first read timeout value too short? jah (Aug 06)
- Re: [NSE] qscan first read timeout value too short? David Fifield (Aug 06)
- Re: [NSE] qscan first read timeout value too short? jah (Aug 06)
- Re: [NSE] pcap first read times out with sub second read timeouts jah (Aug 19)
- Re: [NSE] qscan first read timeout value too short? Luis MartinGarcia. (Aug 19)
- Re: [NSE] qscan first read timeout value too short? jah (Aug 20)
- Re: [NSE] qscan first read timeout value too short? David Fifield (Aug 23)
- Re: [NSE] qscan first read timeout value too short? jah (Aug 24)
- Re: [NSE] qscan first read timeout value too short? David Fifield (Aug 25)
- Re: [NSE] qscan first read timeout value too short? David Fifield (Aug 25)
- Re: [NSE] qscan first read timeout value too short? David Fifield (Aug 06)