Nmap Development mailing list archives
Re: ip proto 0xff in syn pckts on ADSL connection
From: David Fifield <david () bamsoftware com>
Date: Mon, 24 Nov 2008 11:08:02 -0700
On Thu, Nov 20, 2008 at 09:56:00AM -0700, David Fifield wrote:
On Mon, Nov 17, 2008 at 01:21:05PM -0700, David Fifield wrote:On Tue, Nov 04, 2008 at 11:01:55AM -0500, jfhorn wrote:I'm looking for some insight into an issue (a bug, possibly with nmap) involving the most recent nmap (4.76), Windows (XP SP2), WinPcap (4.02), and a modem/dial-up adapter. PROBLEM: When attempting a TCP connect scan (-sT) to port 80 on www.google.com over dial-up, the system emits packets correctly, *but* when attempting to SYN scan (-sS) port 80 on www.google.com, the system emits packets with the IP protocol type set to 0xFF.Windows doesn't support raw sockets. Nmap can work around this most of the time by using an Ethernet interface directly, but that only works for Ethernet devices. Scans requiring raw packets (including SYN scan) won't work on a dial-up connection. The workaround is (as you've discovered) to use -sT for a plain connect scan. To do more than that requires an operating system with support for raw sockets. There is a real problem here thouch, which is that Nmap doesn't print enough information about the situation.Here is a patch that shows a warning whenever raw socket sending is attempted on Windows (regardless of --send-ip and --send-eth). It shows the warning only once per unique device name. The warning is WARNING: Using raw sockets because %s is not an ethernet device. This probably won't work on Windows. I don't have a real non-Ethernet device to test it with. I tested it by hacking the condition in scan_engine.cc to pretend devices were not Ethernet. I don't like to commit the patch until someone with a PPP or other connection tests it and sees that the warning is shown.
I haven't heard back from any testers yet. I committed the patch in r11185. Hopefully it will make it more clear what's going on for Windows users. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- ip proto 0xff in syn pckts on ADSL connection jfhorn (Nov 04)
- Re: ip proto 0xff in syn pckts on ADSL connection David Fifield (Nov 17)
- Re: ip proto 0xff in syn pckts on ADSL connection jfhorn (Nov 17)
- Re: ip proto 0xff in syn pckts on ADSL connection David Fifield (Nov 20)
- Re: ip proto 0xff in syn pckts on ADSL connection David Fifield (Nov 24)
- Re: ip proto 0xff in syn pckts on ADSL connection David Fifield (Nov 17)