Nmap Development mailing list archives
Re: [nse] very strange bug on Leopard - endian problems?
From: Kris Katterjohn <katterjohn () gmail com>
Date: Mon, 31 Mar 2008 13:01:47 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 majek04 wrote:
Hi! While developing os.nse[1] I found a bug, maybe someone can help me with it. This is what I get with simple debugging patch [2]. on leopard: $ export NMAPDIR=.; sudo ./nmap -sP scanme.nmap.org 2>&1 Starting Nmap 4.60 ( http://nmap.org ) at 2008-03-31 15:00 CEST -- sendto in send_ip_packet: sendto(4, packet, 40, 0, 205.217.153.62, 16) -- -- TCP 192.168.1.8:52620 > 205.217.153.62:80 A ttl=47 id=23788 iplen=10240 seq=1523082815 win=4096 ack=494690232 4500 2800 5cec 0000 2f06 061c c0a8 0108 E.(.\.../....... cdd9 993e cd8c 0050 5ac8 663f 1d7c 5fb8 ...>...PZ.f?.|_. 5010 1000 6af3 0000 P...j...
<snip>
You see the ip length field? Wtf? 0028 or 2800? Do we have some endian problems?
I have an idea: Apple is screwing with tradition :) Raw sockets with IP_HDRINCL were never really documented, especially wrt byte order. The IP length field was one of the two fields that are traditionally in *host* byte order when sent over the net on BSDs. Since OS X is based on BSD, it should adhere to this (and it appears that they did since this was never complained before about that I know of). But I guess with Leopard they went along with Linux and want it all sent in network byte order (or nobody complained about the other broken OS X versions..). I don't know why they would want to break raw sockets programs, though. p657 of UNIX Network Programming tells the BSD vs. Linux gist, and you can grep for MACOSX in tcpip.cc to see that Nmap ntohs()'s the IP length field for BSDs and OS X. I guess configure will need to check for Leopard and later versions specifically so this stuff can be taken into account. I wonder if pcap_get_selectable_fd() will work with Leopard? Maybe that's changed as well (I don't know why it didn't work before, so I can't guess to why it would now).
Marek Majkowski
Thanks, Kris Katterjohn -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBR/EnCf9K37xXYl36AQKXLRAAkT0odbNaqJ/DztXC5lRpFlaqgE+R+FTt vwvrR6NdBZpKOTzSOUZ5H+3Vhdm8Y1vgPc56WCAs5/BbbNPo1r9ET1NXxYTbZm+0 K0+6wIyQPbA0+tBIeDXhpPtBNXG64TEOsRCl9vh2AjNkjxSYaxk4gaCnnH9Y07Mj r6Gs1rseRWn7H5xm7E1YbTk+xHPW5iJUGnUMrefQygIak4vokmX9rpFWVzDeul1h LEFzV8pmtSXW8E7eIt56Vsx8ab2LSzODe8K7JlBaTjd8rH5QCKvA4VwrQ8LXxzu4 bjJy/xDfWJVpklyBYJl9OlZpVoXQ7c9FpzH1cdiRvLUG3fjJwgVr8bNqqzgj4wXw OvT8vV3ILxZlIHnNax9BC6oOpq4M6zr1XjGA5PY61MUgqSLJdC1tb5uRXrRLdmUB iG7NbpmwaCfH5c3vpn9alK5L2mQWK+U4HU5h88VWnD3FPziSR9S7LLTzhbXFqeRk mSVHMb7YpUGD3W4nDsF6GLesHcI2Jlto2SbuxmjFWXSjhjGLNHBVLY/NrHZ8K5Zl ZmxCynarywMdvYrsTxHS6h1k9jheSstWxT98AMLsd615HmwHT5MlZwLhoBZZf/by 266Y/Xi+eUcTyokdzuossSvpzlEuyjDchMod7BxfpMm4Hd2Q5/QWGDhmU/+M/eWb ico6+6+pElQ= =yNOt -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [nse] very strange bug on Leopard - endian problems? majek04 (Mar 31)
- Re: [nse] very strange bug on Leopard - endian problems? Kris Katterjohn (Mar 31)
- Re: [nse] very strange bug on Leopard - endian problems? majek04 (Mar 31)
- Re: [nse] very strange bug on Leopard - endian problems? Kris Katterjohn (Mar 31)
- Re: [nse] very strange bug on Leopard - endian problems? majek04 (Mar 31)
- Re: [nse] very strange bug on Leopard - endian problems? Kris Katterjohn (Mar 31)