Nmap Development mailing list archives
RE: nmap 3.30 on win32 sending naughty packets to Defense Intelligence Agency
From: "Tom H" <tom () scriptsupport co uk>
Date: Fri, 1 Aug 2003 02:20:23 +0100
Hi, I was watching an ethereal trace of the win32 command line nmap v3.30, while I was scanning a local network for open rpc ports using the following command C:\>nmap -v -p 135 10.0.0.1/24 and noticed that during the scan, nmap sends 2 packets with a destination address of 11.0.0.3, and that these packets are echo replies. The first is sent almost immediately
after some more messing about, these packets only seem to be created when scanning (syn/tcp/ping) my own ip address with nmap, 10.0.0.3, but are not created when someone else pings/scans my ip address. the packets are also coming from the ntoskrnl, but the winpcap driver has a Netgroup Packet Filter which is the kernel portion of the winpcap, and this might be what is responsible for those packets. thought there does seem to be a separate application called "NPF Driver - TME extensions" which I previously assumed was winpcap. I tried changing my ip to a static one, 10.0.0.179, and when I scanned my own ip address again, there were packets sent to 11.0.0.179. this confirmed my earlier suspicion that this was more like to be an off by 1 bug in the code somewhere rather than something bad going on with nmap/winpcap or my computer. T. --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- nmap 3.30 on win32 sending naughty packets to Defense Intelligence Agency Tom H (Jul 30)
- RE: nmap 3.30 on win32 sending naughty packets to Defense Intelligence Agency Tom H (Jul 31)