Re: [NSE] errors: path-mtu, dns-cache-snoop, and firewalk

[Kris Katterjohn <katterjohn () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/18/2010 08:05 PM, Ron wrote:
> On Mon, 18 Oct 2010 19:58:35 -0500 Kris Katterjohn <katterjohn () gmail com> wrote:
> > This will happen when Nmap cannot determine the MTU for the outgoing
> > interface.  path-mtu assumes errors from ip_send() are due to this
> > (not that it matters much) and drops to another MTU level and
> > continues.
>
> > Does "nmap --iflist" show the correct MTU for the interface on the
> > source machine?
>
> > This is my first thought since I know this behavior can occur this
> > way, so let me know and I'll think more on it if you see Nmap knows
> > the correct MTU but path-mtu is still causing this error.
>
> > Also, does the problem occur on a small scan?  If this is the
> > problem, it should cause an error for any path-mtu run over that
> > interface (not just on large scans).
> Hey Kris,
>
> I didn't really collect much information, I was hoping there'd be an obvious cause. What I *can* tell you is that it 
> didn't fail for every host, just for one or a couple. 
>
> I also exaggerated a little when I said a big scan -- it was only about 10 hosts (but with all ports, etc, so it was 
> more of a slow scan than a big one). 
>
> Here's the output of --iflist:
> $ sudo ./nmap --iflist
>
> Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-10-18 20:00 CDT
> ************************INTERFACES************************
> DEV  (SHORT) IP/MASK         TYPE     UP MTU   MAC
> lo   (lo)    127.0.0.1/8     loopback up 16436
> eth1 (eth1)  192.168.1.18/24 ethernet up 1500  00:0C:29:55:50:31
>
> **************************ROUTES**************************
> DST/MASK       DEV  GATEWAY
> 192.168.1.0/24 eth1
> 127.0.0.0/8    lo
> 0.0.0.0/0      eth1 192.168.1.1

Thanks.  Sorry, I've been busy and I forgot about this.

If possible, can you find the smallest scan (hosts and ports) which still
causes this problem and send me the output with debugging and script/packet
tracing turned on (off-list with altered addresses if you want)?  I can search
through the output if you can't narrow it down much, but it would just be
helpful if you can find a single host and port which can still cause this, if
the problem can even occur that way.

I'll try to examine this as soon as I can after I receive it and get back to
you (and the list) with something.

Cheers,
Kris Katterjohn

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJM0Gx5AAoJEEQxgFs5kUfuNAYP/R/V0Fv1oLfUJx+cjqNhsfhD
9bAlC9bt677oqL+U6d3OAi8JxbsQ4q1lppw9kTpKiZ+SB/vrsKTk3lqZbKecHRoA
Z8QkV7xbONtTU9uFQoE48is5cOXYLTOfwXF6vPyAOKxoGRMtXE1DW4GHt2Q6KZOv
pXXP07Gl6WnGAI7rjSAlTE3MnBrsYMZm5ggxJxEZ86qgDxurGVwCtqUn5nOm3nqu
+t0oBrUMeVxI1ZUMIgAhq/I9c4vvDtDYEC0aJ1lCZLB0fS+Du2YiAQf+oPsIqcNV
bLYSDd7TobVPrNM4Yp0r/JLoLcDQscmw1+1ahO6m43vJ0x3ZgGwdcCcG4YAI+Oj8
raAhPOsZSKAaJHAPFBk5F1vHLAq6BqU2J/yki69kV++xgwxzlgi5zA+LqDdphWJr
MpaIGArC9gwwNgVX8vTjQynUearBmoWJaOTSOYT2KoxlZBPPMAWi6bJhyZ4F87wL
CxLaNkwU+dvdTQdBNC2qCWOFEI1cBykHnRvulMOUyQm9KRsUUYPE95cKhbvm51qP
L54nu6HsEwmA6cqi07vxdbXcIp0DziECmnvU3feyfgixQLAlIu8JgSMhvwLsO0rq
QfPeJI8RteG4B9gIHJfo7EkNbIFJRyf3AumsjvRT8ep1wOh4ZbBPgt6DzZSx83zZ
S4He8I1b63MSyADbb/gJ
=lgnl
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/