Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Development: Re: Nmap on GPRS and problem II

Re: Nmap on GPRS and problem II

From: Nils Magnus <magnus_at_linuxtag.org>
Date: Thu, 4 Aug 2005 15:15:18 +0200

Re,

On Wed, Aug 03, 2005 at 03:16:58AM +0100, zaka rias wrote:

> You ask me to look closer into 'ttl' (it took 14 hours
> for me to surf bout 'what's ttl exactly ?').

The TTL field in an IP packet is a counter that is initialized to a OS
specific value (often 64 oder 255) and decremented each time a packet
traverses an layer-3 hop (== router). If the TTL value is 0 the packet
gets dicarded. This concept was invented to prevent "loops" in the
network where packets circulate forever and ever (easily observed when
you have two systems A and B and both have mutually the other system as
the default gateway).

That should be described in most network TCP/IP primers, see

    http://en.wikipedia.org/wiki/Time_to_live

> have a look at this ethereal log, i cut unnecceseary
> thing from real log (but you can find
> the full log in attachment) :
> =======================================================================
> No.Time Source Destination Prto
> 15 16.136761 192.168.0.2 207.46.18.30 TCP 2227 [...]
> Time to live: 64

Ok, your OS sends the packets out with an initial 64 in the TTL. That's
quite common for slightly older operating systems. Some have switched
alredy for 255 and the value can usually be configured in the network
settings.

> 16 17.232115 207.46.18.30 192.168.0.2 TCP http [...]
> Time to live: 62

This is obviously the returned packet. It has 62 as TTL which looks very
much like 64 - 2. So, assuming that the 207.46.18.30 system has also 64
as initial TTL, it is only 2 hobs from your network away. I doubt that
you are located that closely to microsoft.com. It is a first indicator
that your ISP does something with you packets and rewrites them.

> so i look at ethereal log, first packet with TTL 64
> and then i got received packet (2nd frame)
> with TTL 62, so i can say that my isp's using
> transparent proxy.

Ehm, well, that is not a proof, since you (and I) are comparing packets
of two directions (one egress and the second ingress). I'd be interested
in the different TTL values FROM a single address send to your machine,
as often only selected services are proxied or port-forwarded (most
specificly HTML-traffic).

> is that what u mean with 'look closely to the TTL
> values" ?

I more or less meant the same thing you did. You might repeat it with an

  nmap -n -v -sS -p80,443

scan and compare the results.

You may ask the other TTL question in PM.

Regards,

Nils Magnus
Program-Chair LinuxTag 2005 Free Conference Program

LinuxTag 2005: Where .com meets .org - magnus_at_linuxtag.org

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Received on Aug 04 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos