Nmap Announce mailing list archives

Previous By Date Next
Previous By Thread Next

Unexpected ICMP type/code

From: Moses Smith <moses () pentagram nslug ns ca>
Date: Wed, 10 Mar 1999 19:02:33 -0400 (AST)
Is there any way to make nmap give up TCP scanning when it gets an ICMP
host unreach? I apologize if this has been fixed since nmap 2.03; I've
just upgraded to the latest version but the problem is hard to
reproduce.

We run daily nmap scans of our network, which includes a PortMaster 3E and
its (PPP) IPs. When an IP assigned by the PM is no longer in use
(disconnected), the PM replies to any packets sent to that address with
ICMP host unreachables. Maybe once a month, a PPP session disconnects
either while or just before (I'm guessing it's while) nmap scans it. With
both -sS and -sT scans (and possibly the others, I haven't tried them
yet), nmap goes crazy and spews out hundreds of K of error messages to
stderr & stdout:

Unexpected ICMP type/code 3/12 unreachable packet:
Here it is:
3  1  BE 96   0  0  0  0    45 0  0  28   EA F  0  0  
37 6  5A 7C   XX XX XX XX   XX XX XX XX   D7 AA 2  14 
89 4A DB 5E
Unexpected ICMP type/code 3/12 unreachable packet:
Here it is:
3  1  BA B6   0  0  0  0    45 0  0  28   31 B6 0  0  
37 6  12 D6   XX XX XX XX   XX XX XX XX   D7 AA 5  F4 
89 4A DB 5E

(I've X'd out our IP addresses)

The 3/12 errors are followed by 3/23, 3/34, 3/45, 3/56, 3/67, 3/134669124,
3/59, 3/48, 3/37, 3/26, 3/15, 3/4, etc. Last time this happened my stderr
and stdout were going to separate streams so it's hard to match the error
codes with the "Here it is:" report, but if you need it just ask.

This gets logged to our auth server:
Mar  7 17:00:38 pm dialnet: port S3 session disconnected dest XX.XX.XX.XX
Mar  7 17:00:40 pm  9 deny: TCP from YY.YY.YY.YY.55210 to XX.XX.XX.XX.532 seq 894ADB5E, ack 0x0, win 1024, SYN
Mar  7 17:00:40 pm  9 deny: TCP from YY.YY.YY.YY.55210 to XX.XX.XX.XX.1524 seq 894ADB5E, ack 0x0, win 1024, SYN
[snip 8 lines]
Mar  7 17:00:40 pm  9 deny: TCP from YY.YY.YY.YY.55210 to XX.XX.XX.XX.532 seq BB573F8D, ack 0x0, win 1024, SYN
[snip a few thousands...]

nmap then goes on to spew out these messages even for PM hosts that
disconnected before the nmap run started.
Previous By Date Next
Previous By Thread Next

Current thread: