Re: [RFC] path-mtu.nse, host.interface_mtu, etc.

[David Fifield <david () bamsoftware com>]

On Wed, Aug 04, 2010 at 08:05:00PM -0500, Kris Katterjohn wrote:
> > The script isn't working for me with SYN probes. I'm not sure what's
> > wrong but tcpdump doesn't show any replies.
> <snip>
> > Host script results:
> > |_path-mtu: Error: Unable to determine PMTU (no replies)
> > Final times for host: srtt: 66760 rttvar: 28451  to: 180564
> >
> > The packets that path-mtu are sending look like
> >
> > 16:30:14.594363 IP (tos 0x0, ttl 128, id 0, offset 0, flags [DF], proto TCP (6),
> >  length 1500)
> >     192.168.0.21.51543 > 64.13.134.52.22: Flags [S], seq 1714636915:1714638371,
> > win 3072, options [mss 1460], length 1456
>
> Thanks for testing.
>
> I get replies and the script behaves correctly when I use scanme.  Did you
> happen to test against any other host, on a LAN or out on the internet?  What
> about using UDP?
>
> > Similar packets sent by Nping get a response.
> >
> > # nping --tcp -p 22 64.13.134.52 --df
> > 16:32:38.135869 IP (tos 0x0, ttl 64, id 33435, offset 0, flags [DF], proto TCP (6), length 40)
> >     192.168.0.21.57093 > 64.13.134.52.22: Flags [S], cksum 0x78f4 (correct), seq 2445687109, win 1480, length 0
> > 16:32:38.202608 IP (tos 0x0, ttl 53, id 0, offset 0, flags [DF], proto TCP (6), length 44)
> >     64.13.134.52.22 > 192.168.0.21.57093: Flags [S.], cksum 0x4e5e (correct), seq 33882044, ack 2445687110, win 
> > 5840, options [mss 1460], length 0
> > 16:32:38.202700 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
> >     192.168.0.21.57093 > 64.13.134.52.22: Flags [R], cksum 0x7eb9 (correct), seq 2445687110, win 0, length 0
>
> Does Nping still work when you add a bunch of data to the mix?
>
> Using "nping -c 1 --tcp --df -p 22 --data-length 1460 64.13.134.52":
>
> SENT (0.0220s) TCP 192.168.10.6:5116 > 64.13.134.52:22 S ttl=64 id=45459
> iplen=1500  seq=3298795002 win=1480
> RCVD (0.0250s) ICMP w.x.y.z > 192.168.10.6 Fragmentation required
> (type=3/code=4) ttl=29 id=3655 iplen=56

You're right. Nping with a non-zero amount of data doesn't work for me
either. I think it's my home router blocking the packets. I verified
that they aren't making it to the destination.

# ./nping --echo-client public --tcp -p 80 --df -c 2 echo.nmap.org

Starting Nping 0.5.35DC18 ( http://nmap.org/nping ) at 2010-08-23 10:31 MDT
SENT (1.1220s) TCP 192.168.0.21:21151 > 178.79.132.93:80 S ttl=64 id=48781 iplen=40  seq=2942041858 win=1480
CAPT (1.2070s) TCP 206.81.65.18:21151 > 178.79.132.93:80 S ttl=49 id=48781 iplen=40  seq=2942041858 win=1480
RCVD (1.2760s) TCP 178.79.132.93:80 > 192.168.0.21:21151 RA ttl=48 id=0 iplen=40  seq=0 win=0
SENT (2.1240s) TCP 192.168.0.21:21151 > 178.79.132.93:80 S ttl=64 id=48781 iplen=40  seq=2942041858 win=1480
CAPT (2.2015s) TCP 206.81.65.18:21151 > 178.79.132.93:80 S ttl=49 id=48781 iplen=40  seq=2942041858 win=1480
RCVD (2.2780s) TCP 178.79.132.93:80 > 192.168.0.21:21151 RA ttl=48 id=0 iplen=40  seq=0 win=0

# ./nping --echo-client public --tcp -p 80 --df -c 2 echo.nmap.org --data-length 10

Starting Nping 0.5.35DC18 ( http://nmap.org/nping ) at 2010-08-23 10:31 MDT
SENT (1.0880s) TCP 192.168.0.21:15766 > 178.79.132.93:80 S ttl=64 id=42908 iplen=50  seq=618787634 win=1480
SENT (2.0900s) TCP 192.168.0.21:15766 > 178.79.132.93:80 S ttl=64 id=42908 iplen=50  seq=618787634 win=1480

I don't get replies when running directly against my router either, but
it works against another computer on the LAN. It also works if I scan
from a Linode instead of from home. It also works when running against
the router with UDP. I think the stateful firewall is filtering out SYN
containing data.

So it looks like the error is due to my environment. Please go ahead and
commit the changes.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/