Nmap Development mailing list archives

Re: ip proto 0xff in syn pckts on ADSL connection

From: David Fifield <david () bamsoftware com>
Date: Mon, 24 Nov 2008 11:08:02 -0700

On Thu, Nov 20, 2008 at 09:56:00AM -0700, David Fifield wrote:

On Mon, Nov 17, 2008 at 01:21:05PM -0700, David Fifield wrote:

On Tue, Nov 04, 2008 at 11:01:55AM -0500, jfhorn wrote:

I'm looking for some insight into an issue (a bug, possibly with nmap)
involving the most recent nmap (4.76), Windows (XP SP2), WinPcap
(4.02), and a modem/dial-up adapter.

PROBLEM: When attempting a TCP connect scan (-sT) to port 80 on
www.google.com over dial-up, the system emits packets correctly, *but*
when attempting to SYN scan (-sS) port 80 on www.google.com, the
system emits packets with the IP protocol type set to 0xFF.


Windows doesn't support raw sockets. Nmap can work around this most of
the time by using an Ethernet interface directly, but that only works
for Ethernet devices. Scans requiring raw packets (including SYN scan)
won't work on a dial-up connection. The workaround is (as you've
discovered) to use -sT for a plain connect scan. To do more than that
requires an operating system with support for raw sockets.

There is a real problem here thouch, which is that Nmap doesn't print
enough information about the situation.


Here is a patch that shows a warning whenever raw socket sending is
attempted on Windows (regardless of --send-ip and --send-eth). It shows
the warning only once per unique device name. The warning is

WARNING: Using raw sockets because %s is not an ethernet device. This probably won't work on Windows.

I don't have a real non-Ethernet device to test it with. I tested it by
hacking the condition in scan_engine.cc to pretend devices were not
Ethernet. I don't like to commit the patch until someone with a PPP or
other connection tests it and sees that the warning is shown.


I haven't heard back from any testers yet. I committed the patch in
r11185. Hopefully it will make it more clear what's going on for Windows
users.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

ip proto 0xff in syn pckts on ADSL connection jfhorn (Nov 04)
- Re: ip proto 0xff in syn pckts on ADSL connection David Fifield (Nov 17)
  - Re: ip proto 0xff in syn pckts on ADSL connection jfhorn (Nov 17)
  - Re: ip proto 0xff in syn pckts on ADSL connection David Fifield (Nov 20)
    - Re: ip proto 0xff in syn pckts on ADSL connection David Fifield (Nov 24)