Nmap Development mailing list archives
Re: [nmap-svn] r18187 - nping
From: David Fifield <david () bamsoftware com>
Date: Fri, 18 Jun 2010 12:14:23 -0600
On Thu, Jun 17, 2010 at 03:20:02AM -0700, commit-mailer () insecure org wrote:
Author: luis Date: Thu Jun 17 03:20:02 2010 New Revision: 18187 Log: Fixed a few bugs in the BPF filter creation. Now, Nping makes sure we don't capture any of the packets we send or packets that are not destined to us. Also, handling of ICMP and ARP requests/replies has been improved, adding specific types that match the expected responses from our targets. I've been testing this patch and everything works fine except for ARP. I've been able to confirm, using wireshark, that the ARP replies that are sent in response to our ARP requests, are not being captured by libpcap. This issue was already present in the previous version of the getBPFFilterString() function, so I think is OK to commit this "partially working" patch now, and try to fix this issue later.
For TCP mode, for example, it's giving me this filter string: BPF-filter: (not src host 192.168.0.21 and dst host 192.168.0.21) and ((tcp and dst port 39062) or (icmp and (icmp[icmptype] = 3 or icmp[icmptype] = 4 or icmp[icmptype] = 5 or icmp[icmptype] = 11 or icmp[icmptype] = 12)) ) That works fine, except when I'm trying to ping my own IP address (192.168.0.21). You probably need to add a special check for this, or just remove the "not src host 192.168.0.21" part. You might compare with Nmap's filters. # nmap -d -sn -PS53 scanme.nmap.org Packet capture filter (device eth0): dst host 192.168.0.21 and (icmp or ((tcp or udp or sctp) and (src host 64.13.134.52))) David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [nmap-svn] r18187 - nping David Fifield (Jun 18)