Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re[2]: Re[2]: Nmap 6.47 works incorrectly in Solaris 10

From: Luong Nguyen <lucasart1989 () gmail com>
Date: Fri, 22 May 2015 20:20:17 +0700
Dan,

I ran the snoop command first then ran the nmap command
I resend pcap packet as your request

bash-3.2# ./nmap -sn -n -d 192.168.89.10 --packet-trace

Starting Nmap 6.47 ( http://nmap.org ) at 2015-05-22 20:15 EDT
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
Initiating ARP Ping Scan at 20:15
Scanning 192.168.89.10 [1 port]
Packet capture filter (device bge0): arp and arp[18:4] = 0x00000100 and
arp[22:2] = 0x0843
SENT (0.0391s) ARP who-has 192.168.89.10 tell 192.168.89.34
SENT (0.2392s) ARP who-has 192.168.89.10 tell 192.168.89.34
Completed ARP Ping Scan at 20:15, 0.42s elapsed (1 total hosts)
Overall sending rates: 4.80 packets / s, 201.74 bytes / s.
Nmap scan report for 192.168.89.10 [host down, received no-response]
Read from .: nmap-payloads.
Note: Host seems down. If it is really up, but blocking our ping probes,
try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 0.45 seconds
           Raw packets sent: 2 (56B) | Rcvd: 0 (0B)
Regards,
Luong

2015-05-22 19:20 GMT+07:00 Daniel Miller <bonsaiviking () gmail com>:


Luong,

Thanks, I got the file. Unfortunately, I don't see any traffic from your
scanner's IP or MAC or the target's IP or MAC. Was the snoop running at the
same time that you scanned? If you try again, please add the --packet-trace
option to your Nmap command for more debugging detail.

Dan

On Thu, May 21, 2015 at 9:40 PM, Luong Nguyen <lucasart1989 () gmail com>
wrote:


Hi Dan,

Please get attach file



2015-05-21 22:17 GMT-04:00 Daniel Miller <bonsaiviking () gmail com>:

Luong,


I think the equivalent snoop command would be like this: snoop -r -d
bge0 -o solaris-arp-bug.pcap arp

You'll have to run this in the background or in another terminal while
you run Nmap, obviously.

Please CC the dev () nmap org list in your replies so that other users can
find this thread if they have the same problem, or so other devs can help
if I am unavailable.

Dan


On Thu, May 21, 2015 at 8:45 PM, Luong Nguyen <lucasart1989 () gmail com>
wrote:


Dan,

I cannot find tcpdump on solaris, could you share the snoop command?
Thanks,

Sent from myMail for iOS


Thursday, May 21, 2015, 23:55 +0700 from Daniel Miller <
bonsaiviking () gmail com>:

 Luong,

Thanks, that's really useful information! I wonder if there's a routing
problem for some reason, or if Nmap is picking the wrong interface? You can
check this by doing:

nmap --route-dst 192.168.89.10

If this gives something you don't expect (like using the wrong
interface or source address), then please send that and the output of

nmap --iflist

along with what you think is wrong with the output.

Otherwise, there may be a problem with how we are capturing the ARP
replies. Is there any way you can include a pcap of just the ARP traffic
sent and received during a scan of one of the problem targets? This is how
I would expect to do it, but you may need to change your commands based on
what's available:

tcpdump -n -i bge0 -w solaris-arp-bug.pcap -- arp &
nmap -sn -n -d 192.168.89.10

Thanks!
Dan

On Thu, May 21, 2015 at 9:10 AM, Luong Nguyen <lucasart1989 () gmail com
<https://e-aj.my.com/compose/?mailto=mailto%3alucasart1989 () gmail com>>
wrote:

Hi Dan,
Nmap on solaris can only detect solaris hosts include both sparc and
x86.
All hosts on same subnet include: nmap tool , vmware machines, PCs ,
router, L2/L3 switch...

I can ssh,ping and manage many hosts from solaris machine.

A good new for you. I used --send-ip option in the nmap command and it
works correctly but i have a confuse the behavior of nmap on solaris is
difference with linux and windows platforms.I do not need add --send-ip
option.

Kind regards,
Luong Nguyen

Sent from myMail for iOS


Thursday, May 21, 2015, 20:33 +0700 from Daniel Miller <
bonsaiviking () gmail com
<https://e-aj.my.com/compose/?mailto=mailto%3abonsaiviking () gmail com>>:

 Luong,

Sorry about the long silence. I've filed this as a bug report on our
tracker: http://issues.nmap.org/124

One thing I notice about the output you gave me: The hosts that Solaris
*is* able to detect all have Oracle or VMware OUIs (MAC address vendor),
whereas the Linux scanner sees hosts with Cisco, HP, Dell, etc. Are these
targets Solaris machines, too? If so, are any Solaris machines missed by
the Solaris scanner?

Apart from Nmap, are you able to contact (ping, ssh, or anything) the
missed hosts from the Solaris machine?

Thanks for any further details you can add.

Dan

On Thu, Apr 2, 2015 at 9:38 PM, Luong Nguyen <lucasart1989 () gmail com
<https://e-aj.my.com/compose/?mailto=mailto%3alucasart1989 () gmail com>>
wrote:

1. Output of nmap --version
bash-3.2# ./nmap -v

Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-02 21:57 EDT
Read data files from: .
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.19 seconds
           Raw packets sent: 0 (0B) | Rcvd: 0 (0B)


2. Output of your command with -d
attach file

3. Can nmap find the missing hosts if scanning them individually? Like
if 192.168.89.10 is shown in the Linux scan, on Solaris do: nmap -sn -d
192.168.89.10
attach file

4. Is there anything special or unique about your system or network?
Are you running as root, or in a zone, or on a VM?
I run all command with root user
SunOS qipsun34 5.10 Generic_147147-26 sun4u sparc SUNW,Sun-Fire-V210
all hosts connected to a switch no firewall

5. Does the problem persist with the latest development tree in
subversion? svn co https://svn.nmap.org/nmap
Yes

Thanks,
Luong Nguyen

2015-04-02 15:28 GMT-04:00 Daniel Miller <bonsaiviking () gmail com
<https://e-aj.my.com/compose/?mailto=mailto%3abonsaiviking () gmail com>>:

Luong,

Thanks for bringing this up. We have several fixes in our development
source tree for issues on Solaris, but none with the symptom you described.
Can you provide some more information so we can debug?

1. Output of nmap --version

2. Output of your command with -d

3. Can nmap find the missing hosts if scanning them individually? Like
if 192.168.89.10 is shown in the Linux scan, on Solaris do: nmap -sn -d
192.168.89.10

4. Is there anything special or unique about your system or network?
Are you running as root, or in a zone, or on a VM?

5. Does the problem persist with the latest development tree in
subversion? svn co https://svn.nmap.org/nmap

Thanks,
Dan

On Thu, Apr 2, 2015 at 12:10 PM, Luong Nguyen <lucasart1989 () gmail com
<https://e-aj.my.com/compose/?mailto=mailto%3alucasart1989 () gmail com>>
wrote:

Hi Dev,

I using nmap6.47 for testing in Solaris 10.
Run command: nmap -sP 192.168.89.0/24
But it only detect 4 hosts up on my subnet
On Linux, nmap detects 60 hosts up on same subnet.

Could you please help to check this issue?

Thanks,
Luong Nguyen.

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Attachment: solaris-arp-bug.pcap
Description: 

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: