On Wednesday 06 October 2004 21:30, you wrote:
> On Wed, Oct 06, 2004 at 09:05:28PM +0100, Alan Jenkins wrote:
> > Does the -f option do anything? I have been unable to see any difference
> > in the packets sent (with --packet_trace and tcpdump). I am using nmap
> > 3.7.0 on linux 2.6.6. The option is documented - has it been silently
> > dropped in 3.7?
>
> Recent (maybe 2.4+ -- anyone know exactly when it started?) Linux
> kernels seem to defragment the packets Nmap sends before sticking them
> on the wire :(. Sadly, raw sockets just don't seem to give Nmap the
> level of control it needs on many platforms (Solaris has issues with
> adding the don't fragment bit, and Windows SP2 cripples the whole
> interfaces). For this reason, and due to a desire for cool local
> network host enumeration techniques such as ARP scan, I think I want
> to move Nmap to writing raw ethernet frames in preference to raw
> sockets when dealing with ethernet-compatible devices (includes 802.11
> wireless devices). That should resolve many of these problems,
> hopefully without adding a bunch of its own. I haven't researched the
> best way to move forward yet -- maybe libdnet, maybe write my own
> library. It needs to work well on Windows, since that is the platform
> with the most pathetic raw sockets implementation.
>
> Cheers,
> Fyodor (who is currently occupied with a huge OS fingerprint update)
Cool. I'll have a look at the defragmentation linux is doing. I bet linux is
now defragmenting everything, whether its from an external host or from a
local raw sockets program.
CONFIG_IP_ALWAYS_DEFRAG is mentioned in the nmap man page - perhaps this is
now always enabled, or has been changed to the default, or extended to apply
to local raw socket packets.
Thanks
Alan
---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to
nmap-dev-help@insecure.org . List archive: http://seclists.org
Received on Oct 07 2004
Intro
