Nmap Development mailing list archives
ip proto 0xff in syn pckts on ADSL connection
From: jfhorn <jfhorn () gmail com>
Date: Tue, 4 Nov 2008 11:01:55 -0500
I'm looking for some insight into an issue (a bug, possibly with nmap) involving the most recent nmap (4.76), Windows (XP SP2), WinPcap (4.02), and a modem/dial-up adapter. PROBLEM: When attempting a TCP connect scan (-sT) to port 80 on www.google.com over dial-up, the system emits packets correctly, *but* when attempting to SYN scan (-sS) port 80 on www.google.com, the system emits packets with the IP protocol type set to 0xFF. Running the same scans with "--packet-trace" indicates nmap intends to send TCP packets with the SYN (S) flag set, but again, Wireshark shows the protocol type set to "0xFF" rather than "0x06" and the scan fails. ------------------------ nmap-4.76>nmap -sS --packet-trace -P0 -p 80 www.google.com ... SENT (0.4070s) TCP 209.163.118.135:51562 > 208.67.217.230:80 S ttl=41 id=27446 iplen=44 seq=3476152143 win=2048 <mss 1460> SENT (1.4220s) TCP 209.163.118.135:51563 > 208.67.217.230:80 S ttl=49 id=31325 iplen=44 seq=3476086606 win=2048 <mss 1460> Interesting ports on google.navigation.opendns.com (208.67.217.230): PORT STATE SERVICE 80/tcp filtered http ------------------------ If I scan my internal network using the ethernet adapter built into the same machine, SYN and connect scans execute as expected, indicating this bug may involve an interaction with the dial-up adapter like the reported ADSL modem issue referenced below. I already understand the connect scan uses the operating system's connect call instead of manually crafting SYN packets, but how do we chase-down the bug in SYN packet generation? It seems as if others have reported this issue in the past (2007), but no resolution has ever been posted or proposed, and the ultimate source of the bug (Windows vs. nmap vs. WinPcap vs ?) has never been investigated. I can provide the pcap of these sessions if anyone needs to verify my analysis, but I'm pretty sure the capture won't point-out the source of this bug. Thanks! ------------------------------------------------- Related (unanswered) nmap-dev postings: ------------------------------------------------- http://seclists.org/nmap-dev/2007/q2/0347.html Subject: nmap bug? - ip proto 0xff in syn pckts on ADSL connection From: google <stanilewicz_at_gmail.com> Date: Tue, 5 Jun 2007 11:28:37 +0200 I'm running XP SP1 machine (build 2600), and my connection is through ADSL SpeedTouch 330 modem (latest drivers). I used also cFosSpeed driver and wipfw firewall, but after unstallation the problem remained the same. I also tried to downgrade winpcap from 4.0 to 3.1. Nmap sends packets with 0xff as IP protocol (offset 0x17 in the whole packet), when it check hosts for being up, AND when it scans with SYN scan (by default). So I have to use ALWAYS -sT -P0 options, then nmap works. BUT.... on THE SAME MACHINE, I have also Ethernet card, and when I connect through it, NMAP works correctly, and packets are formed OK. ------------------------------------------------- Similar bug report here from 11 December 2006: http://www.nabble.com/Nmap-4.20-bug-td7801465.html ------------------------------------------------- ------------------------------------------------- ADDITIONAL SCAN INFORMATION AND OUTPUT ------------------------------------------------- C:\Documents and Settings\client2\Desktop\nmap-4.76>nmap -V Nmap version 4.76 ( http://nmap.org ) C:\Documents and Settings\client2\Desktop\nmap-4.76>nmap -sS -P0 -p 80 www.google.com Starting Nmap 4.76 ( http://nmap.org ) at 2008-11-04 14:14 GMT Standard Time Warning: Hostname www.google.com resolves to 2 IPs. Using 208.67.217.231. Interesting ports on google.navigation.opendns.com (208.67.217.231): PORT STATE SERVICE 80/tcp filtered http Nmap done: 1 IP address (1 host up) scanned in 6.08 seconds C:\Documents and Settings\client2\Desktop\nmap-4.76>nmap -sT -P0 -p 80 www.google.com Starting Nmap 4.76 ( http://nmap.org ) at 2008-11-04 14:14 GMT Standard Time Warning: Hostname www.google.com resolves to 2 IPs. Using 208.67.217.231. Interesting ports on google.navigation.opendns.com (208.67.217.231): PORT STATE SERVICE 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 0.36 seconds C:\Documents and Settings\client2\Desktop\nmap-4.76>nmap -sS --packet-trace -P0 -p 80 www.google.com Starting Nmap 4.76 ( http://nmap.org ) at 2008-11-04 14:15 GMT Standard Time Warning: Hostname www.google.com resolves to 2 IPs. Using 208.67.217.230. NSOCK (0.2190s) msevent_new (IOD #1) (EID #8) NSOCK (0.2190s) UDP connection requested to 209.163.108.67:53 (IOD #1) EID 8 NSOCK (0.2190s) msevent_new (IOD #1) (EID #18) NSOCK (0.2190s) Read request from IOD #1 [209.163.108.67:53] (timeout: -1ms) EID 18 NSOCK (0.2190s) msevent_new (IOD #2) (EID #24) NSOCK (0.2190s) UDP connection requested to 209.163.108.78:53 (IOD #2) EID 24 NSOCK (0.2190s) msevent_new (IOD #2) (EID #34) NSOCK (0.2190s) Read request from IOD #2 [209.163.108.78:53] (timeout: -1ms) EID 34 NSOCK (0.2350s) msevent_new (IOD #3) (EID #40) NSOCK (0.2350s) UDP connection requested to 208.67.220.220:53 (IOD #3) EID 40 NSOCK (0.2350s) msevent_new (IOD #3) (EID #50) NSOCK (0.2350s) Read request from IOD #3 [208.67.220.220:53] (timeout: -1ms) EID 50 NSOCK (0.2350s) msevent_new (IOD #4) (EID #56) NSOCK (0.2350s) UDP connection requested to 208.67.222.222:53 (IOD #4) EID 56 NSOCK (0.2350s) msevent_new (IOD #4) (EID #66) NSOCK (0.2350s) Read request from IOD #4 [208.67.222.222:53] (timeout: -1ms) EID 66 NSOCK (0.2350s) msevent_new (IOD #5) (EID #72) NSOCK (0.2350s) UDP connection requested to 192.168.200.12:53 (IOD #5) EID 72 NSOCK (0.2350s) msevent_new (IOD #5) (EID #82) NSOCK (0.2350s) Read request from IOD #5 [192.168.200.12:53] (timeout: -1ms) EID 82 NSOCK (0.2350s) msevent_new (IOD #1) (EID #91) NSOCK (0.2350s) Write request for 45 bytes to IOD #1 EID 91 [209.163.108.67:53]: .............230.217.67.208.in-addr.arpa..... NSOCK (0.2350s) nsock_loop() started (timeout=500ms). 11 events pending NSOCK (0.2350s) wait_for_events NSOCK (0.2350s) Callback: CONNECT SUCCESS for EID 72 [192.168.200.12:53] NSOCK (0.2350s) msevent_delete (IOD #5) (EID #72) NSOCK (0.2350s) Callback: CONNECT SUCCESS for EID 56 [208.67.222.222:53] NSOCK (0.2350s) msevent_delete (IOD #4) (EID #56) NSOCK (0.2350s) Callback: CONNECT SUCCESS for EID 40 [208.67.220.220:53] NSOCK (0.2350s) msevent_delete (IOD #3) (EID #40) NSOCK (0.2350s) Callback: CONNECT SUCCESS for EID 24 [209.163.108.78:53] NSOCK (0.2350s) msevent_delete (IOD #2) (EID #24) NSOCK (0.2350s) Callback: CONNECT SUCCESS for EID 8 [209.163.108.67:53] NSOCK (0.2350s) msevent_delete (IOD #1) (EID #8) NSOCK (0.2350s) Callback: WRITE SUCCESS for EID 91 [209.163.108.67:53] NSOCK (0.2350s) msevent_delete (IOD #1) (EID #91) NSOCK (0.2350s) wait_for_events NSOCK (0.3600s) Callback: READ SUCCESS for EID 18 [209.163.108.67:53] (148 bytes) NSOCK (0.3600s) msevent_new (IOD #1) (EID #98) NSOCK (0.3600s) Read request from IOD #1 [209.163.108.67:53] (timeout: -1ms) EID 98 NSOCK (0.3600s) msevent_delete (IOD #1) (EID #98) NSOCK (0.3600s) msevent_delete (IOD #2) (EID #34) NSOCK (0.3600s) msevent_delete (IOD #3) (EID #50) NSOCK (0.3600s) msevent_delete (IOD #4) (EID #66) NSOCK (0.3600s) msevent_delete (IOD #5) (EID #82) NSOCK (0.3600s) msevent_delete (IOD #1) (EID #18) SENT (0.4070s) TCP 209.163.118.135:51562 > 208.67.217.230:80 S ttl=41 id=27446 iplen=44 seq=3476152143 win=2048 <mss 1460> SENT (1.4220s) TCP 209.163.118.135:51563 > 208.67.217.230:80 S ttl=49 id=31325 iplen=44 seq=3476086606 win=2048 <mss 1460> Interesting ports on google.navigation.opendns.com (208.67.217.230): PORT STATE SERVICE 80/tcp filtered http Nmap done: 1 IP address (1 host up) scanned in 2.45 seconds C:\Documents and Settings\client2\Desktop\nmap-4.76>nmap -sT --packet-trace -P0 -p 80 www.google.com Starting Nmap 4.76 ( http://nmap.org ) at 2008-11-04 14:15 GMT Standard Time Warning: Hostname www.google.com resolves to 2 IPs. Using 208.67.217.230. NSOCK (0.0940s) msevent_new (IOD #1) (EID #8) NSOCK (0.0940s) UDP connection requested to 209.163.108.67:53 (IOD #1) EID 8 NSOCK (0.0940s) msevent_new (IOD #1) (EID #18) NSOCK (0.0940s) Read request from IOD #1 [209.163.108.67:53] (timeout: -1ms) EID 18 NSOCK (0.0940s) msevent_new (IOD #2) (EID #24) NSOCK (0.0940s) UDP connection requested to 209.163.108.78:53 (IOD #2) EID 24 NSOCK (0.0940s) msevent_new (IOD #2) (EID #34) NSOCK (0.0940s) Read request from IOD #2 [209.163.108.78:53] (timeout: -1ms) EID 34 NSOCK (0.0940s) msevent_new (IOD #3) (EID #40) NSOCK (0.0940s) UDP connection requested to 208.67.220.220:53 (IOD #3) EID 40 NSOCK (0.0940s) msevent_new (IOD #3) (EID #50) NSOCK (0.0940s) Read request from IOD #3 [208.67.220.220:53] (timeout: -1ms) EID 50 NSOCK (0.1100s) msevent_new (IOD #4) (EID #56) NSOCK (0.1100s) UDP connection requested to 208.67.222.222:53 (IOD #4) EID 56 NSOCK (0.1100s) msevent_new (IOD #4) (EID #66) NSOCK (0.1100s) Read request from IOD #4 [208.67.222.222:53] (timeout: -1ms) EID 66 NSOCK (0.1100s) msevent_new (IOD #5) (EID #72) NSOCK (0.1100s) UDP connection requested to 192.168.200.12:53 (IOD #5) EID 72 NSOCK (0.1100s) msevent_new (IOD #5) (EID #82) NSOCK (0.1100s) Read request from IOD #5 [192.168.200.12:53] (timeout: -1ms) EID 82 NSOCK (0.1100s) msevent_new (IOD #1) (EID #91) NSOCK (0.1100s) Write request for 45 bytes to IOD #1 EID 91 [209.163.108.67:53]: .............230.217.67.208.in-addr.arpa..... NSOCK (0.1100s) nsock_loop() started (timeout=500ms). 11 events pending NSOCK (0.1100s) wait_for_events NSOCK (0.1100s) Callback: CONNECT SUCCESS for EID 72 [192.168.200.12:53] NSOCK (0.1100s) msevent_delete (IOD #5) (EID #72) NSOCK (0.1100s) Callback: CONNECT SUCCESS for EID 56 [208.67.222.222:53] NSOCK (0.1100s) msevent_delete (IOD #4) (EID #56) NSOCK (0.1100s) Callback: CONNECT SUCCESS for EID 40 [208.67.220.220:53] NSOCK (0.1100s) msevent_delete (IOD #3) (EID #40) NSOCK (0.1100s) Callback: CONNECT SUCCESS for EID 24 [209.163.108.78:53] NSOCK (0.1100s) msevent_delete (IOD #2) (EID #24) NSOCK (0.1100s) Callback: CONNECT SUCCESS for EID 8 [209.163.108.67:53] NSOCK (0.1100s) msevent_delete (IOD #1) (EID #8) NSOCK (0.1100s) Callback: WRITE SUCCESS for EID 91 [209.163.108.67:53] NSOCK (0.1100s) msevent_delete (IOD #1) (EID #91) NSOCK (0.1100s) wait_for_events NSOCK (0.2190s) Callback: READ SUCCESS for EID 18 [209.163.108.67:53] (148 bytes) NSOCK (0.2190s) msevent_new (IOD #1) (EID #98) NSOCK (0.2190s) Read request from IOD #1 [209.163.108.67:53] (timeout: -1ms) EID 98 NSOCK (0.2190s) msevent_delete (IOD #1) (EID #98) NSOCK (0.2190s) msevent_delete (IOD #2) (EID #34) NSOCK (0.2190s) msevent_delete (IOD #3) (EID #50) NSOCK (0.2190s) msevent_delete (IOD #4) (EID #66) NSOCK (0.2190s) msevent_delete (IOD #5) (EID #82) NSOCK (0.2190s) msevent_delete (IOD #1) (EID #18) CONN (0.2190s) TCP localhost > 208.67.217.230:80 => Unknown error Interesting ports on google.navigation.opendns.com (208.67.217.230): PORT STATE SERVICE 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds C:\Documents and Settings\client2\Desktop\nmap-4.76>ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : XXXXXX Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : XXXXXXXX.net Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : XXXXXXXX.net Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller Physical Address. . . . . . . . . : XX-XX-XX-XX-XX-XX Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 192.168.200.112 Subnet Mask . . . . . . . . . . . : 255.255.0.0 Default Gateway . . . . . . . . . : 192.168.200.1 DHCP Server . . . . . . . . . . . : 192.168.200.11 DNS Servers . . . . . . . . . . . : 192.168.200.12 208.67.222.222 208.67.220.220 Lease Obtained. . . . . . . . . . : Tuesday, November 04, 2008 2:03:47 PM Lease Expires . . . . . . . . . . : Wednesday, November 05, 2008 2:03:47 PM PPP adapter {9F8E9972-4524-4531-9CFD-ED81FD62F517}: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface Physical Address. . . . . . . . . : 00-53-45-00-00-00 Dhcp Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 209.163.118.135 Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : 209.163.118.135 DNS Servers . . . . . . . . . . . : 209.163.108.78 209.163.108.67 NetBIOS over Tcpip. . . . . . . . : Disabled Tunnel adapter Teredo Tunneling Pseudo-Interface: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface Physical Address. . . . . . . . . : FF-FF-FF-FF-FF-FF-FF-FF Dhcp Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : fe80::ffff:ffff:fffd%4 Default Gateway . . . . . . . . . : NetBIOS over Tcpip. . . . . . . . : Disabled C:\Documents and Settings\client2\Desktop\nmap-4.76>route print =========================================================================== Interface List 0x1 ........................... MS TCP Loopback interface 0x2 ...XX XX XX XX XX XX ...... Broadcom NetXtreme 57xx Gigabit Controller - Packet Scheduler Miniport 0x20004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface =========================================================================== =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.200.1 192.168.200.112 11 0.0.0.0 0.0.0.0 209.163.118.135 209.163.118.135 1 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 192.168.0.0 255.255.0.0 192.168.200.112 192.168.200.112 10 192.168.200.112 255.255.255.255 127.0.0.1 127.0.0.1 10 192.168.200.255 255.255.255.255 192.168.200.112 192.168.200.112 10 209.163.112.33 255.255.255.255 209.163.118.135 209.163.118.135 1 209.163.118.135 255.255.255.255 127.0.0.1 127.0.0.1 50 209.163.118.255 255.255.255.255 209.163.118.135 209.163.118.135 50 224.0.0.0 240.0.0.0 192.168.200.112 192.168.200.112 10 224.0.0.0 240.0.0.0 209.163.118.135 209.163.118.135 1 255.255.255.255 255.255.255.255 192.168.200.112 192.168.200.112 1 255.255.255.255 255.255.255.255 209.163.118.135 209.163.118.135 1 Default Gateway: 209.163.118.135 =========================================================================== Persistent Routes: None _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- ip proto 0xff in syn pckts on ADSL connection jfhorn (Nov 04)
- Re: ip proto 0xff in syn pckts on ADSL connection David Fifield (Nov 17)
- Re: ip proto 0xff in syn pckts on ADSL connection jfhorn (Nov 17)
- Re: ip proto 0xff in syn pckts on ADSL connection David Fifield (Nov 20)
- Re: ip proto 0xff in syn pckts on ADSL connection David Fifield (Nov 24)
- Re: ip proto 0xff in syn pckts on ADSL connection David Fifield (Nov 17)