Hi nmap-dev!
These past few days I've been porting a program of mine (nuff) to OpenBSD and I noticed an oddity in how OpenBSD handles BPF descriptors. It turns out that (unlike linux) OpenBSD won't mark a descriptor readable (via select) as soon as it receives a packet. Instead, It will wait until a buffer is full.
So under certain network conditions (ie very few packets on the wire matching your BPF filters) this can result in slow scans on OpenBSD. Fortunatley, OpenBSD (and possibly other similar operating systems) let you override this behaviour with a BIOCIMMEDIATE ioctl on the descriptor. I have tested this and found that using this results in faster scans than the current (selectable fd) behaviour and the old (polling) behaviour.
I am attaching my current patch to nmap-4.21ALPHA1 but I don't think it's ready for incorporation yet. Here is what remains to be done:
* Figure out what other operating systems will benefit from BIOCIMMEDIATE (I suspect at least NetBSD).
* Find a better way than the #define hack in my patch. The BIOCIMMEDIATE constant is straight out of OpenBSD's /usr/include/net/bpf.h . Ideally we should #include <net/bpf.h> as described in OpenBSD's man bpf. I tried this but some of the structures defined there conflict with the bpf.h that nmap currently includes.
If anybody has any ideas or suggestions regarding the above points please reply to nmap-dev!
Best,
Doug
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Received on Feb 22 2007
Intro
