Nmap Development mailing list archives
Re: nmap option '-f' (fragment) doesn't work on Linux v2.4
From: Philippe Biondi <biondi () cartel-securite fr>
Date: Sat, 17 May 2003 23:04:10 +0200 (CEST)
On Thu, 15 May 2003 milosevic () fastmail fm wrote:
It appears that the "fragment" option doesn't work on Linux v2.4, or at least v2.4.18, which is what I'm running. "tcpdump" reveals that "nmap -sS -f -P0" transmits a single 40 byte SYN packet. On Linux v2.2, the same action produces two fragments of 36 and 24 bytes, as described in the manual. It seems that this is not nmap's fault. Experimentation with raw sockets shows that the kernel attempts to defragment all locally- generated packets. Nothing is transmitted until the final fragment is submitted to the kernel, at which point a single unfragmented packet appears on the wire. Linux v2.2 seems to preserve locally generated fragments regardless of the value of the /proc/sys/net/ipv4/ip_always_defrag switch. In Linux v2.4, this switch doesn't even exist. Is there some way to get around this "feature" of Linux v2.4, so that "nmap -f" can perform its intended function?
It is because netfilter conntrack code. If you have have compiled it as a module, just remove ip_conntrack and it should work. If you can't do that, you have to use PF_PACKET to bypass firewalling code. Scapy (http://www.cartel-securite.fr/pbiondi/scapy.html) can do that. -- Philippe Biondi <biondi@ cartel-securite.fr> Cartel Sécurité Security Consultant/R&D http://www.cartel-securite.fr Phone: +33 1 44 06 97 94 Fax: +33 1 44 06 97 99 PGP KeyID:3D9A43E2 FingerPrint:C40A772533730E39330DC0985EE8FF5F3D9A43E2 --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- nmap option '-f' (fragment) doesn't work on Linux v2.4 milosevic (May 15)
- Re: nmap option '-f' (fragment) doesn't work on Linux v2.4 Philippe Biondi (May 17)