|
Nmap Development
mailing list archives
Re: NMAP shows local machine as down
From: luto () stanford edu
Date: Wed, 09 Jul 2003 14:14:38 -0700
Quoting micro dev <microdev1 () yahoo com>:
Thanks kevin.
Where can I find that doc. Please give me the pointer to that doc.
[snip]
I tried to snoop the packets thru Ethereal. And what I deduce that I
always see this stuff.
Source - 10.25.125.203
Destination - 11.25.125.203
Protocol - ICMP
Info - Echo (ping) reply
I don't remember, but since I wrote it, here goes ;)
winpcap (up to v2.3 at least -- i haven't played with v3) can neither
monitor nor inject packets into the loopback interface. For some
reason I couldn't get winpcap to scan localhost by using a different
interface either -- I assume that windows does not see injected packets
as recieved, even though ethereal (which uses winpcap) does, so these
packets are effectively dropped -- so there is no way (other than
connect()) to scan localhost. SOCK_RAW will not bind localhost on
win2k or xp.
Ugly diagram of what might be happening (assuming IP 10.0.0.1)
IP stack winpcap layer NIC
10.0.0.1->10.0.0.2 -----------------------------------> (10.0.0.2 here)
10.0.0.1->10.0.0.1 ------------> (no listener here)
^ ^
windows misses it Ethereal catches
because there is no the packet here
packet here
The strange behavior you see is due to some logic I added that, IIRC,
falsifies the routing information for the local computer when it is in
a range of other IPs. I think I did this because the alternative would
be to try to route the packets to the local machine over the localhost
interface, which confused something. Fixing this oddity would be
pointless, because it is still impossible to scan the local machine.
Hope this helps.
Andy
---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
 By Date 
By Thread
Current thread:
| 
Intro
