Nmap Development mailing list archives
Re: [NSE] qscan first read timeout value too short?
From: David Fifield <david () bamsoftware com>
Date: Fri, 6 Aug 2010 16:52:10 -0600
On Fri, Aug 06, 2010 at 11:15:44PM +0100, jah wrote:
Hi folks, Using qscan.nse from winXP with svn r19518 I'm consistently seeing a single packet loss during the script scan. The packet 'lost' is the response to the first qscan probe to the first port in the list of ports qscan will probe. What seems to happen is that by the time do_actual_pcap_read is called (for the very first time), the timeout period has elapsed and the response is not seen. Setting NSOCK_TRACE_LEVEL to 10 in nmap.h I get the following output which sheds some light on this oddity. NSOCK (0.1100s) msevent_new (IOD #1) (EID #13) NSOCK (0.1100s) Pcap read request from IOD #1 EID 13 NSOCK (0.1100s) NSE #13: Adding event NSOCK (0.1100s) PCAP NSE #13: Adding event to PCAP_READ_EVENTS SENT (1.2190s) TCP [192.168.1.15:13495 > 212.56.83.200:80 S seq=<snipped the rest> NSOCK (1.2190s) nsock_loop() started (timeout=50ms). 1 events pending NSOCK (1.2190s) wait_for_events NSOCK (1.2190s) PCAP do_actual_pcap_read TEST (IOD #1) (EID #13) NSOCK (1.2190s) before iterating, list 0 NSOCK (1.2190s) before iterating, list 1 NSOCK (1.2190s) before iterating, list 2 NSOCK (1.2190s) before iterating, list 3 NSOCK (1.2190s) before iterating, list 4 NSOCK (1.2190s) before iterating 13 NSOCK (1.2190s) list 4, iterating 13 NSOCK (1.2190s) PCAP iterating 13 NSOCK (1.2190s) PCAP do_actual_pcap_read TEST (IOD #1) (EID #13) NSOCK (1.2190s) NSE #13: Removing event from event_lists[4] NSOCK (1.2190s) Callback: READ-PCAP TIMEOUT for EID 13 NSOCK (1.2190s) msevent_delete (IOD #1) (EID #13) NSOCK (1.2190s) PCAP removed 13 The timeout in this example was about 400 ms and you can probably see that between 'Adding event to PCAP_READ_EVENTS' and the call to send_ip_packet (next line) more than a second has elapsed - much more than the timeout.
Do you think it's related to this recent message? Nsock has trouble handling pcap reads on Windows http://seclists.org/nmap-dev/2010/q3/232 Luis found that pcap reads on Windows were not being polled often enough. His patch was applied in r19487, so you should have the fix already. Luis, you mentioned to me that you confirmed the bug existed with NSE also. Can you reproduce this behavior with qscan? David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] qscan first read timeout value too short? jah (Aug 06)
- Re: [NSE] qscan first read timeout value too short? David Fifield (Aug 06)
- Re: [NSE] qscan first read timeout value too short? jah (Aug 06)
- Re: [NSE] pcap first read times out with sub second read timeouts jah (Aug 19)
- Re: [NSE] qscan first read timeout value too short? Luis MartinGarcia. (Aug 19)
- Re: [NSE] qscan first read timeout value too short? jah (Aug 20)
- Re: [NSE] qscan first read timeout value too short? David Fifield (Aug 23)
- Re: [NSE] qscan first read timeout value too short? jah (Aug 24)
- Re: [NSE] qscan first read timeout value too short? David Fifield (Aug 25)
- Re: [NSE] qscan first read timeout value too short? David Fifield (Aug 25)
- Re: [NSE] qscan first read timeout value too short? David Fifield (Aug 06)