Casey Williams wrote:
> I've noticed the same thing with -sS and -P0 which I did't think used connect(). I've
> actually been wondering about this recently myself because I've been writing my own
> lightweight port scanning engine using libnet to inject SYN probes. I've noticed that if I
> loop over the range of IP addresses and immediately send the probe, I won't always get a
> reply from hosts that I know should have replied. However, if I sleep() for 1 millisecond
> between probe sends, it *will* send the reply. However, this 1 ms sleep() can add up over
> many hosts/ports, and I can't seem to sleep() for a shorter period of time, (even
> nanosleep() doesn't seem to work for me).
>
On Linux the nanosleep call is based on the kernel timer, so that means
a maximum resolution of 1HZ/s (10 ms for Linux < 2.6.9).
> ***pure conjecture ahead***
>
> So I started wondering how nmap was able to be so reliable and yet SO fast (kudos!). Then I
> realized that it may be sending these "retry" probes to hosts that it doesn't know the
> status of and that it didn't get a reply from.
>
> I've been reading the nmap source and stepping through it, but I haven't verified that this
> is correct. Am I on the right track? If not, would this tactic be unrecommended?
>
You're missing the point a bit. The error messages means that nmap
didn't send those probes. It tried to, but the system told it there was
already a connection attempt in progress.
--
Andreas Ericsson andreas.ericsson_at_op5.se
OP5 AB www.op5.se
Tel: +46 8-230225 Fax: +46 8-230231
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Received on Jan 11 2006
Intro
