Nmap Announce mailing list archives
RE: Updated: ICMP Error Message Quoting Size
From: "Ofir Arkin" <ofir () itcon-ltd com>
Date: Mon, 27 Nov 2000 17:31:46 +0200
OK,
Yes, in this case they do. Although it is worth noting that the maximum bytelength they quote may differ. For example, Solaris will generally return up to 64 bytes of data (after the IP header) while Foundry switches send back up to 20 and Linux sends more than either of them. Nmap uses a relatively large probe ( 328 bytes) so it can distinguish between these. With a small probe, it looks like each is sending back the entire packet. I wanted to send an even larger probe, but I didn't want to risk problems or fragmentation on low MTU networks (eg many PPP/SLIP connections).
Sun Solaris and HPUX 11.x will behave the same regarding the limit of the bytes echoed back. It will be 64 bytes as you stated. LINUX has upper limit as well - 576 bytes as the total ICMP error message length on all ICMP error messages it produce. Another interesting detail is if you are sending a datagram which is bigger than 576 bytes long and this datagram elicit an ICMP Protocol Unreachable or ICMP Fragment Reassembly Time exceeded Error message, the error message will not pad the misterious 20 bytes... Foundry switches will pad 12 bytes with ICMP Port unreachable? what is this? :) [root@godfather]# hping2 -2 -c 1 y.y.y.y eth0 default routing interface selected (according to /proc) HPING y.y.y.y (eth0 y.y.y.y): udp mode set, 28 headers + 0 data bytes ICMP Port Unreachable from y.y.y.y (y.y.y.y) --- y.y.y.y hping statistic --- 1 packets tramitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms [root@godfather]# 12:08:47.793503 eth0 > x.x.x.x.2498 > y.y.y.y.0: udp 0 (ttl 64, id 44437) 4500 001c ad95 0000 4011 885f xxxx xxxx yyyy yyyy 09c2 0000 0008 b13f 12:08:48.240208 eth0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y udp port 0 unreachable Offending pkt: x.x.x.x.2498 > y.y.y.y.0: udp 0 (ttl 51, id 44437) (ttl 51, id 17453) 4500 0044 442d 0000 3301 feaf yyyy yyyy xxxx xxxx 0303 739c 0000 0000 4500 001c ad95 0000 3311 955f xxxx xxxx yyyy yyyy 09c2 0000 0008 b13f dd2c 2a16 38e1 7646 7aaa 9d41 dd2c 2a16 38e1 7646 7aaa 9d41 ?? Ofir -------------------------------------------------- For help using this (nmap-hackers) mailing list, send a blank email to nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- Updated: ICMP Error Message Quoting Size (Identifying Sun Solaris, HP-UX 11.x and LINUX based machines) Ofir Arkin (Nov 26)
- Re: Updated: ICMP Error Message Quoting Size (Identifying Sun Solaris, HP-UX 11.x and LINUX based machines) Fyodor (Nov 26)
- RE: Updated: ICMP Error Message Quoting Size (Identifying Sun Solaris,HP-UX 11.x and LINUX based machines) Ofir Arkin (Nov 27)
- RE: Updated: ICMP Error Message Quoting Size Ofir Arkin (Nov 28)
- Re: Updated: ICMP Error Message Quoting Size (Identifying Sun Solaris, HP-UX 11.x and LINUX based machines) Fyodor (Nov 26)