Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: nmap returns "Host <ip_address> appears to be up" instead of "Host <hostname> appears to be up" for some of the nodes

From: Guang Cheng Li <liguangc () cn ibm com>
Date: Fri, 13 Nov 2009 12:57:50 +0800
I use hostname everywhere in my scripts and in our product, so it will be
difficult for us to change to use ip address unless we resolve the
hostnames to ip addresses before passing to nmap, hostname resolution will
bring in performance degradation, I hesitate to do this.

All the host names could get through the system resolver, if I add the flag
"--system-dns" to nmap, then all the hostnames will be returned from nmap.
From this point view, I am suspecting this may be a nmap bug. I noticed a
special configuration in my cluster, this may be causing problem, we use
two nameservers in /etc/resolv.conf, one is for private subnet and one is
for public subnet, the private subnet name server will be checked first
because it is the first nameserver in /etc/resolv.conf, I turned on the
nmap -d9, seems the nmap is sending the DNS resolver to the public subnet
name server.

c906mgrs2:/opt/xcat/bin # cat /etc/resolv.conf | grep nameserver
nameserver 10.0.0.242 ==========> private subnet nameserver
nameserver 9.114.8.1 =========> public subnet nameserver
c906mgrs2:/opt/xcat/bin #

c906mgrs2:/opt/xcat/bin # nslookup c906f06c01p05 =============> system
resolver works
Server:         10.0.0.242
Address:        10.0.0.242#53

Name:   c906f06c01p05.cluster.com
Address: 10.6.1.5

c906mgrs2:/opt/xcat/bin # ping c906f06c01p05
PING c906f06c01p05 (10.6.1.5) 56(84) bytes of data.
64 bytes from c906f06c01p05 (10.6.1.5): icmp_seq=1 ttl=64 time=0.112 ms
^C
--- c906f06c01p05 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.112/0.112/0.112/0.000 ms
c906mgrs2:/opt/xcat/bin #



c906mgrs2:/opt/xcat/bin # nmap -PE -d9 --send-ip -sP c906f06c01p05

Starting Nmap 4.75 ( http://nmap.org ) at 2009-11-12 23:45 EST
Fetchfile found /usr/share/nmap/nmap-services
PORTS: Using top 1000 ports found open (TCP:0, UDP:0)
The max # of sockets we are using is: 0
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 23:45
Scanning 10.6.1.5 [1 port]
Pcap filter: dst host 10.0.0.242 and (icmp or ((tcp or udp) and (src host
10.6.1.5)))
Packet capture filter (device eth1): dst host 10.0.0.242 and (icmp or ((tcp
or udp) and (src host 10.6.1.5)))
SENT (0.1550s) ICMP 10.0.0.242 > 10.6.1.5 echo request (type=8/code=0)
ttl=59 id=38149 iplen=28
**TIMING STATS** (0.1550s): IP, probes
active/freshportsleft/retry_stack/outstanding/retranwait/onbench,
cwnd/ccthresh/delay, timeout/srtt/rttvar/
   Groupstats (1/1 incomplete): 1/*/*/*/*/* 10.00/75/* 1000000/-1/-1
   10.6.1.5: 1/0/0/1/0/0 10.00/75/0 1000000/-1/-1
Current sending rates: 15.34 packets / s, 429.57 bytes / s.
Overall sending rates: 15.34 packets / s, 429.57 bytes / s.
RCVD (0.1550s) ICMP 10.6.1.5 > 10.0.0.242 echo reply (type=0/code=0) ttl=64
id=61717 iplen=28
Found 10.6.1.5 in incomplete hosts list.
We got a ping packet back from 10.6.1.5: id = 45799 seq = 0 checksum =
19736
ultrascan_host_probe_update called for machine 10.6.1.5 state UNKNOWN ->
HOST_UP (trynum 0 time: 212)
Timeout vals: srtt: -1 rttvar: -1 to: 1000000 delta 124 ==> srtt: 124
rttvar: 5000 to: 100000
Timeout vals: srtt: -1 rttvar: -1 to: 1000000 delta 124 ==> srtt: 124
rttvar: 5000 to: 100000
Changing ping technique for 10.6.1.5 to icmp type 8 code 0
Moving 10.6.1.5 to completed hosts list with 0 outstanding probes.
Completed Ping Scan at 23:45, 0.07s elapsed (1 total hosts)
Overall sending rates: 15.31 packets / s, 428.57 bytes / s.
pcap stats: 1 packets received by filter, 0 dropped by kernel.
mass_rdns: Using DNS server 10.0.0.242
mass_rdns: Using DNS server 9.114.8.1
NSOCK (0.2620s) msevent_new (IOD #1) (EID #8)
NSOCK (0.2620s) UDP connection requested to 9.114.8.1:53 (IOD #1) EID 8
NSOCK (0.2620s) msevent_new (IOD #1) (EID #18)
NSOCK (0.2620s) Read request from IOD #1 [9.114.8.1:53] (timeout: -1ms) EID
18
NSOCK (0.2630s) msevent_new (IOD #2) (EID #24)
NSOCK (0.2630s) UDP connection requested to 10.0.0.242:53 (IOD #2) EID 24
NSOCK (0.2630s) msevent_new (IOD #2) (EID #34)
NSOCK (0.2630s) Read request from IOD #2 [10.0.0.242:53] (timeout: -1ms)
EID 34
Initiating Parallel DNS resolution of 1 host. at 23:45
mass_rdns: TRANSMITTING for <10.6.1.5> (server <9.114.8.1>)
====================> Wrong name server is selected.
NSOCK (0.2630s) msevent_new (IOD #1) (EID #43)
NSOCK (0.2630s) Write request for 39 bytes to IOD #1 EID 43 [9.114.8.1:53]:
.............5.1.6.10.in-addr.arpa.....
NSOCK (0.2630s) nsock_loop() started (timeout=500ms). 5 events pending
NSOCK (0.2630s) wait_for_events
NSOCK (0.2630s) Callback: CONNECT SUCCESS for EID 24 [10.0.0.242:53]
NSOCK (0.2630s) msevent_delete (IOD #2) (EID #24)
NSOCK (0.2630s) Callback: CONNECT SUCCESS for EID 8 [9.114.8.1:53]
NSOCK (0.2630s) msevent_delete (IOD #1) (EID #8)
NSOCK (0.2630s) Callback: WRITE SUCCESS for EID 43 [9.114.8.1:53]
NSOCK (0.2630s) msevent_delete (IOD #1) (EID #43)
NSOCK (0.2630s) wait_for_events
NSOCK (0.2630s) Callback: READ SUCCESS for EID 18 [9.114.8.1:53] (116
bytes)
NSOCK (0.2630s) msevent_new (IOD #1) (EID #50)
NSOCK (0.2630s) Read request from IOD #1 [9.114.8.1:53] (timeout: -1ms) EID
50
CAPACITY <9.114.8.1> = 12
NSOCK (0.2630s) msevent_delete (IOD #1) (EID #50)
NSOCK (0.2630s) msevent_delete (IOD #2) (EID #34)
mass_rdns: NXDOMAIN <id = 37127>
mass_rdns: 0.02s 0/1 [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
NSOCK (0.2630s) msevent_delete (IOD #1) (EID #18)
Completed Parallel DNS resolution of 1 host. at 23:45, 0.00s elapsed
DNS resolution of 1 IPs took 0.02s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0,
SF: 0, TR: 1, CN: 0]
Fetchfile found /usr/share/nmap/nmap-mac-prefixes
Host 10.6.1.5 appears to be up, received echo-reply.
=======================> ip address is returned
MAC Address: 00:1A:64:FC:0A:37 (IBM)
Read from /usr/share/nmap: nmap-mac-prefixes nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 0.46 seconds
           Raw packets sent: 1 (28B) | Rcvd: 1 (28B)
c906mgrs2:/opt/xcat/bin #


Thanks,
-------------------------------------------------------------------------
 Li,Guang Cheng (李光成)
 IBM China Software Development Laboratory



                                                                           
             David Fifield                                                 
             <david@bamsoftwar                                             
             e.com>                                                     To 
                                       Guang Cheng Li/China/IBM@IBMCN      
             2009-11-13 11:24                                           cc 
                                       nmap-dev () insecure org               
                                                                   Subject 
                                       Re: nmap returns "Host <ip_address> 
                                       appears to be up" instead of        
                                       "Host <hostname> appears to be up"  
                                       for some of the nodes               
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




On Fri, Nov 13, 2009 at 09:27:59AM +0800, Guang Cheng Li wrote:

HI David,

Thank you for your reponse.

The -oX and -oG does change the output format to make it easier for the
output parsing, but the "hostname" information is still not available for
some nodes. I can update my script to check both the ip address and the
hostname, but I have to call lot of hostname resolution system calls to
resolve the hostnames/ip addresses, the performance degradation might be

a

problem for me because I can have at most 64,000 nodes in my cluster.


Even if you're using the normal output, you don't have to look up the
hostnames when they are present. The IP address is always there too, in
parentheses.

If the hostname is not present, it means that reverse DNS for that
address failed. If there is a host whose name you can get through your
system resolver but not with Nmap, then it is likely a bug and we would
like to have more information about it.


Actually we are using /etc/hosts to resolve the host names because the

DNS

itself also has some kind of scaling issues, though the DNS hostname
resolution also works in the cluster. Do you think the flag

"--system-dns"

will be a better choice for us because we are using /etc/hosts for

hostname

resolution? The experiment also shows that the "--system-dns" runs faster
in my environment, is there any other side effects by specifying the
"--system-dns" flag?


Nmap's parallel DNS resolver also looks in /etc/hosts, so if all the
hosts are in there it shouldn't have an effect. You will have to test
yourself to see which is faster.

David Fifield


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: