Nmap Development mailing list archives
Re: [Patch] Fixing the MAC address in Nmap's ARP discovery
From: Daniel Miller <bonsaiviking () gmail com>
Date: Wed, 28 May 2014 16:57:48 -0500
On Tue, May 27, 2014 at 3:09 AM, Jay Bosamiya <jaybosamiya () gmail com> wrote:
Hi All! Nmap's ARP discovery uses the wrong MAC address in the target field of ARP requests. It uses ff:ff:ff:ff:ff:ff instead of the 00:00:00:00:00:00 that all other IP stacks (Linux, Win) use. This allows people to trivially discover Nmap scans on their network. This was reported by A Brodskiy. Link: [1].
List, I did some research on this, and I found that, although Linux and Windows at least do set the target MAC address (ar$tha) to 00-00-00-00-00-00, this is not a necessity of the protocol. RFC 826 ( https://tools.ietf.org/html/rfc826) has this to say: It does not set ar$tha to anything in particular, because it is this value that it is trying to determine. It could set ar$tha to the broadcast address for the hardware (all ones in the case of the 10Mbit Ethernet) if that makes it convenient for some aspect of the implementation. The target hardware address is included for completeness and network monitoring. It has no meaning in the request form, since it is this number that the machine is requesting. Its meaning in the reply form is the address of the machine making the request. In some implementations (which do not get to look at the 14.byte ethernet header, for example) this may save some register shuffling or stack space by sending this field to the hardware driver as the hardware destination address of the packet. The Wireshark Wiki on Gratuitous ARP ( http://wiki.wireshark.org/Gratuitous_ARP) notes that Solaris sends ARP requests with ar$tha set to ff-ff-ff-ff-ff-ff, which is the only suggested value in the RFC. In other words, there's no reason Nmap's implementation is "wrong" (and it has certainly been working fine for years!), but this patch will make Nmap conform to the way that currently-popular OSs do things. I've tested it and find no problems, so if there are no objections, I will ask Jay to commit the change. Dan _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [Patch] Fixing the MAC address in Nmap's ARP discovery Jay Bosamiya (May 27)
- Re: [Patch] Fixing the MAC address in Nmap's ARP discovery Daniel Miller (May 28)
- Re: [Patch] Fixing the MAC address in Nmap's ARP discovery Jay Bosamiya (May 31)
- Re: [Patch] Fixing the MAC address in Nmap's ARP discovery Daniel Miller (May 28)