Re: [nmap-svn] r18187 - nping

[David Fifield <david () bamsoftware com>]

On Thu, Jun 17, 2010 at 03:20:02AM -0700, commit-mailer () insecure org wrote:
> Author: luis
> Date: Thu Jun 17 03:20:02 2010
> New Revision: 18187
>
> Log:
> Fixed a few bugs in the BPF filter creation. Now, Nping makes
> sure we don't capture any of the packets we send or packets 
> that are not destined to us. Also, handling of ICMP and ARP 
> requests/replies has been improved, adding specific types that
> match the expected responses from our targets. I've been testing 
> this patch and everything works fine except for ARP. I've been 
> able to confirm, using wireshark, that the ARP replies that are
> sent in response to our ARP requests, are not being captured 
> by libpcap. This issue was already present in the previous
> version of the getBPFFilterString() function, so I think is 
> OK to commit this "partially working" patch now, and try to 
> fix this issue later.

For TCP mode, for example, it's giving me this filter string:

BPF-filter: (not src host 192.168.0.21 and dst host 192.168.0.21) and ((tcp and dst port 39062) or (icmp and 
(icmp[icmptype] = 3 or icmp[icmptype] = 4 or icmp[icmptype] = 5 or icmp[icmptype] = 11 or icmp[icmptype] = 12)) )

That works fine, except when I'm trying to ping my own IP address
(192.168.0.21). You probably need to add a special check for this, or
just remove the "not src host 192.168.0.21" part. You might compare with
Nmap's filters.

# nmap -d -sn -PS53 scanme.nmap.org
Packet capture filter (device eth0): dst host 192.168.0.21 and (icmp or ((tcp or udp or sctp) and (src host 
64.13.134.52)))

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/