Nmap Announce mailing list archives

RE: Updated: ICMP Error Message Quoting Size

From: "Ofir Arkin" <ofir () itcon-ltd com>
Date: Mon, 27 Nov 2000 17:31:46 +0200

OK,

Yes, in this case they do.  Although it is worth noting that the maximum
bytelength they quote may differ.  For example, Solaris will generally
return up to 64 bytes of data (after the IP header) while Foundry switches
send back up to 20 and Linux sends more than either of them.  Nmap uses a
relatively large probe ( 328 bytes) so it can distinguish between these.
With a small probe, it looks like each is sending back the entire
packet.  I wanted to send an even larger probe, but I didn't want to risk
problems or fragmentation on low MTU networks (eg many PPP/SLIP
connections).


Sun Solaris and HPUX 11.x will behave the same regarding the limit of the
bytes echoed back.
It will be 64 bytes as you stated.

LINUX has upper limit as well - 576 bytes as the total ICMP error message
length on all ICMP error
messages it produce.

Another interesting detail is if you are sending a datagram which is bigger
than 576 bytes long and this
datagram elicit an ICMP Protocol Unreachable or ICMP Fragment Reassembly
Time exceeded Error message, the error message
will not pad the misterious 20 bytes...


Foundry switches will pad 12 bytes with ICMP Port unreachable? what is this?
:)

[root@godfather]# hping2 -2 -c 1 y.y.y.y
eth0 default routing interface selected (according to /proc)
HPING y.y.y.y (eth0 y.y.y.y): udp mode set, 28 headers + 0 data bytes
ICMP Port Unreachable from y.y.y.y (y.y.y.y)

--- y.y.y.y hping statistic ---
1 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
[root@godfather]#


12:08:47.793503 eth0 > x.x.x.x.2498 > y.y.y.y.0: udp 0 (ttl 64, id 44437)
                         4500 001c ad95 0000 4011 885f xxxx xxxx
                         yyyy yyyy 09c2 0000 0008 b13f
12:08:48.240208 eth0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y udp port 0
unreachable Offending pkt: x.x.x.x.2498 > y.y.y.y.0: udp 0 (ttl 51, id
44437) (ttl 51, id 17453)
                         4500 0044 442d 0000 3301 feaf yyyy yyyy
                         xxxx xxxx 0303 739c 0000 0000 4500 001c
                         ad95 0000 3311 955f xxxx xxxx yyyy yyyy
                         09c2 0000 0008 b13f dd2c 2a16 38e1 7646
                         7aaa 9d41

dd2c 2a16 38e1 7646 7aaa 9d41 ??

Ofir



--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).

Current thread:

Updated: ICMP Error Message Quoting Size (Identifying Sun Solaris, HP-UX 11.x and LINUX based machines) Ofir Arkin (Nov 26)
- Re: Updated: ICMP Error Message Quoting Size (Identifying Sun Solaris, HP-UX 11.x and LINUX based machines) Fyodor (Nov 26)
  - RE: Updated: ICMP Error Message Quoting Size (Identifying Sun Solaris,HP-UX 11.x and LINUX based machines) Ofir Arkin (Nov 27)
  - RE: Updated: ICMP Error Message Quoting Size Ofir Arkin (Nov 28)