Nmap Development mailing list archives

Re: Off by one in ICMP distance calculation?

From: David Fifield <david () bamsoftware com>
Date: Fri, 30 Sep 2011 18:53:53 -0700

On Fri, Sep 30, 2011 at 12:00:05PM +0200, Luis MartinGarcia. wrote:

On 09/15/2011 06:48 PM, David Fifield wrote:

During OS detection, we calculate distance by subtracting the
encapsulated TTL in an ICMP error reply from the TTL we set originally
when sending the probe:
  /* Count hop count */
  if (hss->distance == -1) {
    hss->distance = this->udpttl - ip2->ip_ttl;
  }
I think this is off by one: it reports one less than the actual
distance. I added this debugging line:
  log_write(LOG_PLAIN, "TTL distance: %d - %d == %d\n", this->udpttl, ip2->ip_ttl, this->udpttl - ip2->ip_ttl);
and I tried running with traceroute. Here's a remote host:
  TTL distance: 56 - 46 == 10
  Network Distance: 11 hops
  TRACEROUTE (using port 53/tcp)
  HOP RTT      ADDRESS
  1   6.11 ms  192.168.0.1
   ...
  9   29.23 ms 10gigabitethernet1-1.core1.fmt1.he.net (72.52.92.109)
  10  14.23 ms linode-llc.10gigabitethernet2-3.core1.fmt1.he.net (64.62.250.6)
  11  17.00 ms li86-221.members.linode.com (74.207.244.221)
and here's a directly connected host:
  TTL distance: 61 - 61 == 0
  Network Distance: 1 hop
  TRACEROUTE
  HOP RTT     ADDRESS
  1   0.23 ms 192.168.0.3

Directly connected hosts are already treated as a special case and set
to distance 1, so you would only notice the discrepancy against
multiple-hop hosts.

Does anyone else agree that this is off by one?


Hi!

In my opinion it  depends on the definition of network distance. If we
only mean the number of intermediate devices between the sender and the
receiver, then the SENT_TTL - RECV_TTL throws the correct value.
However, I don't think the distance should be defined like that. In
real-world when someone asks how far is some tube station and I tell
them it's three stops away, that means you get the tube in station A,
you pass B and C until you get to D. In network communications B and C
would be routers and the TTL would be decremented only twice, not three
times. Therefore:

A[TTL 255] --> B [TTL 254] --> C [TTL 253] --> D   ::
Distance=255-253=2?  Wrong, It should be 3.

So yeah, I agree that its and off by one bug. Plus, if we do
{distance=SENT_TTL - RCVD_TTL + 1} then the directly connected is not a
special case and can be reliably distinguished from the scenario where
there is one router in the middle.


Okay, I just made a commit to increase the number by 1.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Off by one in ICMP distance calculation? David Fifield (Sep 15)
- Re: Off by one in ICMP distance calculation? Luis MartinGarcia. (Sep 30)
  - Re: Off by one in ICMP distance calculation? David Fifield (Sep 30)