Nmap Development mailing list archives
Re: TCP window, options information
From: Vasiliy Kulikov <segoon () openwall com>
Date: Tue, 27 Sep 2011 21:22:55 +0400
On Sat, Sep 24, 2011 at 13:54 -0700, David Fifield wrote:
But also, it might be ambiguous. Some operating systems have different initial window sizes for different probes, for example (see W1-W6):
...
I have also seen the same OS send different TCP options (particularly FreeBSD). Notice how the MSS differs in each response, and how O6 is missing the "W" window scale.
Looks strange. However, even such "nonstable" results is better than nothing. E.g. if OS decided to include some option in one case and not to include it in another case because of some heuristics, it's still interesting to see that OS supports the option at all (IOW, selects it at least sometimes). And the detection of syn cookies unlikely can be stable as they are used at the high load only (at least this is Linux case). So, I think the logic of the script should be - send some random syn packets to the opened port(s) and output the superset of all received options (probably, with frequency occurance to identify whether the option is always on or is heuristic) and window ranges. Other opinions are welcome. Thanks, -- Vasiliy Kulikov _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- TCP window, options information Vasiliy Kulikov (Sep 24)
- Re: TCP window, options information David Fifield (Sep 24)
- Re: TCP window, options information Vasiliy Kulikov (Sep 27)
- Re: TCP window, options information David Fifield (Sep 24)