Nmap Development mailing list archives
Re: SoC: port state reasons
From: Martin Mačok <martin.macok () underground cz>
Date: Sat, 10 Jun 2006 12:14:01 +0200
On Fri, Jun 09, 2006 at 03:14:14PM -0700, Fyodor wrote:
Also one last question, I am severely limited on what reasons I can get from a connect scan.You should be able to distinguish the RST, SYN/ACK, and no-response cases. You may not be able to distinguish between some of the different ICMP errors so you may have to add an extra reason code for those icmp errors you cannot distinguish.
With Connect scan you can't even distinguish between RST and some ICMP Port Unreachable, see http://Xtrmntr.org/ORBman/tmp/nmap/nmap-3.95-CONNECT-closedfiltered.patch
A reason for the host status (e.g. why was the host considered "up" or "down") should be created too. That would presumably use the same set of codes (though you'd have to add one for ARP). It should support the "from" and "ttl" fields where relevant.
It would be good to not limit it to just those two fields ... IP ID, MSS, Timestamp or something else could be interesting too. What about using p0f for RST packet fingerprinting? Martin Mačok ICT Security Consultant _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- SoC: port state reasons Eddie Bell (Jun 07)
- Re: SoC: port state reasons Arturo 'Buanzo' Busleiman (Jun 07)
- Re: SoC: port state reasons Fyodor (Jun 09)
- Re: SoC: port state reasons Eddie Bell (Jun 10)
- Re: SoC: port state reasons Martin Mačok (Jun 10)
- Re: SoC: port state reasons Eddie Bell (Jun 10)
- Re: SoC: port state reasons Fyodor (Jun 10)
- Re: SoC: port state reasons Eddie Bell (Jun 10)
- Re: SoC: port state reasons Fyodor (Jun 10)
- Re: SoC: port state reasons Eddie Bell (Jun 10)
- Re: SoC: port state reasons Fyodor (Jun 10)
- Re: SoC: port state reasons Fyodor (Jun 10)