Nmap Development mailing list archives

Re: OSX - 'no route to host'

From: Brandon Applegate <brandon () burn net>
Date: Sat, 24 Sep 2011 14:37:37 -0400 (EDT)

On Sat, 24 Sep 2011, David Fifield wrote:

What's your output for "nmap --iflist"?

I have seen OS X creating and destroying routes ephemerally sometimes.
What happens if you ping the IP address immediately before trying to
scan it? Does "nmap --iflist" differ immediately after a ping?

David Fifield


First - thanks for the reply.

FYI - scanning an individual host seems to work okay. It's the ping scan(sP) that gets stuck in the middle.


Here's my --iflist - sanitzied.

bash-3.2# nmap --iflist

Starting Nmap 5.51 ( http://nmap.org ) at 2011-09-24 14:12 EDT
************************INTERFACES************************
DEV (SHORT) IP/MASK          TYPE     UP MTU   MAC
lo0 (lo0)   127.0.0.1/8      loopback up 16384
en0 (en0)   192.168.x.x/24   ethernet up 1500  01:02:03:04:05:06

**************************ROUTES**************************
DST/MASK          DEV GATEWAY
x.x.x.x/32        en0 192.168.x.x
x.x.x.x/32        en0 192.168.x.x
x.x.x.x/32        en0 192.168.x.x
127.0.0.1/32      lo0 127.0.0.1
192.168.x.x/32    lo0 127.0.0.1
x.x.x.x/32        en0 192.168.x.x
127.0.0.0/8       lo0 127.0.0.1
0.0.0.0/0         en0 192.168.x.x

The x.x.x.x/32s are all the ephemeral cached host routes I think you aretalking about. The ones in this output are for things my machine iscurrently talking to. I could be wrong - but isn't this a BSD-ish thing ?I come from a Linux background - so still getting used to the network nutsand bolts of OSX. In linux to see this I would have to do something like'ip route show table cache'

Something I notice - is that nmap --iflist does NOT have a route for myconnected interface. In my case, that would be 192.168.x.x/24.

--iflist does NOT seem to change if I manually try to ping a hostbeforehand.

Again - excuse my OSX ignorance - but when I ping a host that doesn'texist - I get a /32 route entry with a destination of link#x (this is in'netstat -rnv'). A live host yields it's mac address in the 'gateway'column (successful arp).

So it seems that the incomplete ARP signalling isn't making it to nmap orgetting used incorrectly ? Probably not articulating that very well :(

As a test - nmap -sP $some_remote_net works great. So scanning an offnet/24 completes fast with no timeouts or errors. It seems like it's just ansP of a local connected network that gets bogged down in the middle due toincomplete ARP.


--
Brandon Applegate - CCIE 10273
PGP Key fingerprint:
7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996
"SH1-0151.  This is the serial number, of our orbital gun."



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

OSX - 'no route to host' Brandon Applegate (Aug 12)
- Re: OSX - 'no route to host' David Fifield (Sep 24)
  - Re: OSX - 'no route to host' Brandon Applegate (Sep 24)