Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Bug / Weird behaviour with arping

From: A Brodskiy <abrods01 () gmail com>
Date: Wed, 10 Aug 2011 18:22:39 -0400
I meant that  Target MAC address SHOULD be set to 00:00:00:00:00:00, that's
how all other IP stacks work (Linux, win)

nmap version 5.51

Alex

On Wed, Aug 10, 2011 at 6:03 PM, A Brodskiy <abrods01 () gmail com> wrote:


It seems the behaviour of nmap when it performs and arp discovery is
weird,and different from the way Ip stacks do it.

For target MAC address  it puts in ff:ff:ff:ff:ff:ff the same as
destination MAC address of the Ethernet packet itself. However, for
discovery unless the arp request is gratuitous , the Target MAC address is
set to 00:00:00:00:00:00.

This behaviour allows people to trivially discover "fingerprint" nmap scans
on their network.

here is some Wireshark code:

arp.dst.hw_mac==ff:ff:ff:ff:ff:ff and arp.isgratuitous==false

Thank you, Alex.


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: