Nmap Development mailing list archives
Re: MacOS X 10.6.4 - pcap reception via NSE not working?
From: David Fifield <david () bamsoftware com>
Date: Thu, 19 Aug 2010 22:35:01 -0600
On Thu, Aug 19, 2010 at 09:03:42PM -0500, Kris Katterjohn wrote:
On 08/19/2010 08:02 PM, David Fifield wrote:I spent most of today looking into this. It appears to be another change in OS X BPF. http://sourceforge.net/tracker/?func=detail&aid=2902860&group_id=53067&atid=469577 I can reproduce it with NSE and Nping. The common element is Nsock's pcap capture. What's happening is that packets are being captured in non-blocking mode, but they are not being flushed to user space until a lot of them have been buffered in the kernel. I attached a test program that illustrates this. If you run it as it is, it will not print out any captures until you create a lot of traffic. If you comment out the call to pcap_setnonblock, you will see captures right away. The reason that port scans still work is that scan_engine.cc doesn't call pcap_setnonblock, instead using a short timeout on platforms where pcap descriptors are not selectable. I found that removing pcap_set_nonblock and reducing the timeout in Nsock makes NSE and Nping work. Another option is to set the BIOCIMMEDIATE ioctl as described in the linked page. I'll look more into it.Doug was suggesting using BIOCIMMEDIATE before (early 2007), but for a different reason[1]. I had made some replies to his post, but I don't think it was brought up again. Perhaps using this is the way to go since not using it could cause problems in the future: maybe other systems will behave differently as Guy Harris describes they're supposed to be doing. And with luck maybe we can still get a performance boost like Doug described. [1] http://seclists.org/nmap-dev/2007/q1/174
Thanks for finding that reference. I committed a change to use BIOCIMMEDIATE whenever it is defined. This makes qscan.nse and Nping work for me again. This change only affects pcap in Nsock, so it won't have any performance impact on the normal scanning engine. That will have to be handled separately if someone wants to tackle it. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- MacOS X 10.6.4 - pcap reception via NSE not working? Jean Mousinho (Jul 30)
- Re: MacOS X 10.6.4 - pcap reception via NSE not working? Patrik Karlsson (Aug 15)
- Re: MacOS X 10.6.4 - pcap reception via NSE not working? David Fifield (Aug 19)
- Re: MacOS X 10.6.4 - pcap reception via NSE not working? Kris Katterjohn (Aug 19)
- Re: MacOS X 10.6.4 - pcap reception via NSE not working? David Fifield (Aug 19)
- Re: MacOS X 10.6.4 - pcap reception via NSE not working? Patrik Karlsson (Aug 20)
- Re: MacOS X 10.6.4 - pcap reception via NSE not working? David Fifield (Aug 20)
- Re: MacOS X 10.6.4 - pcap reception via NSE not working? Patrik Karlsson (Aug 20)
- Re: MacOS X 10.6.4 - pcap reception via NSE not working? Patrik Karlsson (Aug 20)
- Re: MacOS X 10.6.4 - pcap reception via NSE not working? David Fifield (Aug 21)
- Re: MacOS X 10.6.4 - pcap reception via NSE not working? David Fifield (Aug 19)
- Re: MacOS X 10.6.4 - pcap reception via NSE not working? Patrik Karlsson (Aug 15)