Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

nmap dying mid-scan... at my wit's end here

From: John Caldwell <trigeek () gmail com>
Date: Tue, 23 Aug 2005 09:56:48 -0700
I've been trying to debug some strange behavior with nmap for the last
couple days without any luck.  Nmap gets about 75% of the way through
the scan and exits.  It doesn't give any specific error code, it
just... dies.  It consistently dies at about 189 seconds worth of
runtime, and always after scanning about 42,000 of 65,000 ports. 
Resource usage  is not that high. Right before it died nmap was using
approx. 20mb of memory.  It is being run as root, and all the ulimits
are set pretty high or unlimited.

We use nmap with nessus, and this only happens when nmap is run from
nessus.  It does not happen consistently- only with certain hosts. 
When run by itself, it finishes normally.  I can't find anything in
nessus that would cause it to kill a process it has forked- and from
the GDB trace, it looks as though nmap is killing itself.  It's always
at the same point, too- line 508 in scan_engine.cc, which is

IP = new IPProbe;



Here's the particulars:

-oG output:
-----------------------------------
# nmap 3.81 scan initiated Mon Aug 22 19:03:33 2005 as:
/usr/local/bin/nmap -n -P0 -oG /tmp/nmap.out -sS -O -p 1-65535 -
T Insane -v -v -v xxx.xxx.xxx.xxx
-----------------------------------


stdout:
-----------------------------------
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-08-22 19:04 PDT
Initiating SYN Stealth Scan against xxx.xxx.xxx.xxx [65535 ports] at 19:04
Discovered open port 25/tcp on xxx.xxx.xxx.xxx
Discovered open port 53/tcp on xxx.xxx.xxx.xxx
Discovered open port 80/tcp on xxx.xxx.xxx.xxx
Discovered open port 110/tcp on xxx.xxx.xxx.xxx
Discovered open port 143/tcp on xxx.xxx.xxx.xxx
SYN Stealth Scan Timing: About 2.53% done; ETC: 19:24 (0:19:18 remaining)
SYN Stealth Scan Timing: About 10.14% done; ETC: 19:14 (0:08:52 remaining)
Discovered open port 8383/tcp on xxx.xxx.xxx.xxx
Discovered open port 8384/tcp on xxx.xxx.xxx.xxx
SYN Stealth Scan Timing: About 22.80% done; ETC: 19:11 (0:05:04 remaining)
-----------------------------------
At this point nmap exited with a return code of 0.


I attached GDB to nmap as it was running, and got this backtrace:
-----------------------------------
#0  0xffffe002 in ?? ()
#1  0x42028a12 in abort () from /lib/tls/libc.so.6
#2  0x400a7b57 in __cxa_call_unexpected () from /usr/lib/libstdc++.so.5
#3  0x400a7ba4 in std::terminate() () from /usr/lib/libstdc++.so.5
#4  0x400a7d16 in __cxa_throw () from /usr/lib/libstdc++.so.5
#5  0x400a7f02 in operator new(unsigned) () from /usr/lib/libstdc++.so.5
#6  0x080619b0 in UltraProbe::setIP(unsigned char*, unsigned)
(this=0xbfffaea8, ippacket=0x9183fb8 "E", iplen=40)
    at scan_engine.cc:508
#7  0x08064c99 in sendIPScanProbe (USI=0x8ba1c20, hss=0x8ba56b0,
destport=42287, tryno=1 '\001', pingseq=0 '\0')
    at scan_engine.cc:1742
#8  0x08065437 in retransmitProbe (USI=0x8ba1c20, hss=0x8ba56b0,
probe=0x91837b8) at scan_engine.cc:1895
#9  0x080655d8 in doAnyRetransmits (USI=0x8ba1c20) at scan_engine.cc:1950
#10 0x08067599 in ultra_scan(std::vector<Target*,
std::allocator<Target*> >&, scan_lists*, stype) (Targets=@0xbfffc620,
    ports=0x80c9700, scantype=SYN_SCAN) at scan_engine.cc:2850
#11 0x0804d7ac in nmap_main(int, char**) (argc=13, argv=0xbffff9e4) at
nmap.cc:1110
#12 0x0804a9ec in main (argc=13, argv=0xbffff9e4, envp=0xbffffa1c) at
main.cc:244
#13 0x42015504 in __libc_start_main () from /lib/tls/libc.so.6
-----------------------------------


Anybody have any ideas?

-- 
John Caldwell
trigeek () gmail com


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Previous By Date Next
Previous By Thread Next

Current thread: