Nmap Development mailing list archives
Re: MacOS X 10.6.4 - pcap reception via NSE not working?
From: David Fifield <david () bamsoftware com>
Date: Thu, 19 Aug 2010 19:02:24 -0600
On Sun, Aug 15, 2010 at 02:01:24PM +0200, Patrik Karlsson wrote:
I can confirm that this seems to be a bug on OS X 10.6.4. No scripts making use of pcap seem to work. I have spent some time trying to debug the problem without finding a solution. The problem only occurs with NSE and not when running Nmap as root as it used to. It seems as if incoming packets are not recognized by the pcap socket. I noticed that do_actual_pcap_read was called all the time, even if there was no incoming packet on Mac OS but not on Linux. This might be normal, I don't know. Anyway if someone can offer some insight or suggestion or better yet a patch (: please let me know.
I spent most of today looking into this. It appears to be another change in OS X BPF. http://sourceforge.net/tracker/?func=detail&aid=2902860&group_id=53067&atid=469577 I can reproduce it with NSE and Nping. The common element is Nsock's pcap capture. What's happening is that packets are being captured in non-blocking mode, but they are not being flushed to user space until a lot of them have been buffered in the kernel. I attached a test program that illustrates this. If you run it as it is, it will not print out any captures until you create a lot of traffic. If you comment out the call to pcap_setnonblock, you will see captures right away. The reason that port scans still work is that scan_engine.cc doesn't call pcap_setnonblock, instead using a short timeout on platforms where pcap descriptors are not selectable. I found that removing pcap_set_nonblock and reducing the timeout in Nsock makes NSE and Nping work. Another option is to set the BIOCIMMEDIATE ioctl as described in the linked page. I'll look more into it. David Fifield
Attachment:
pcap-test.c
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- MacOS X 10.6.4 - pcap reception via NSE not working? Jean Mousinho (Jul 30)
- Re: MacOS X 10.6.4 - pcap reception via NSE not working? Patrik Karlsson (Aug 15)
- Re: MacOS X 10.6.4 - pcap reception via NSE not working? David Fifield (Aug 19)
- Re: MacOS X 10.6.4 - pcap reception via NSE not working? Kris Katterjohn (Aug 19)
- Re: MacOS X 10.6.4 - pcap reception via NSE not working? David Fifield (Aug 19)
- Re: MacOS X 10.6.4 - pcap reception via NSE not working? Patrik Karlsson (Aug 20)
- Re: MacOS X 10.6.4 - pcap reception via NSE not working? David Fifield (Aug 20)
- Re: MacOS X 10.6.4 - pcap reception via NSE not working? Patrik Karlsson (Aug 20)
- Re: MacOS X 10.6.4 - pcap reception via NSE not working? Patrik Karlsson (Aug 20)
- Re: MacOS X 10.6.4 - pcap reception via NSE not working? David Fifield (Aug 21)
- Re: MacOS X 10.6.4 - pcap reception via NSE not working? David Fifield (Aug 19)
- Re: MacOS X 10.6.4 - pcap reception via NSE not working? Patrik Karlsson (Aug 15)