I can't say for ICMP, but I have definitely written a generic UDP
server on a Solaris box before that had multiple IP addresses, that
was listening on all IPs, and when the server would reply to a UDP
packet, the kernel behavior would be to reply from the IP addresses on
the Solaris box that was closest to the source, not necessarily from
the IP address it received the packet on.
Now, in this case it made sense, I would send a packet from a subnet
connected to the Solaris box, but I would send it to the IP address
not on the subnet. The response would come back from the IP address on
my subnet.
Example
Solaris has IP 10.10.1.5 and 10.10.100.5
I am IP 10.10.1.6
10.10.1.6 -- UDP --> 10.10.100.5
10.10.1.6 <-- UDP -- 10.10.1.5
Not as clear as is what is going on below, and as Kris stated, it
shouldn't happen with ICMP, but just throwing it out for
consideration.
Cheers,
kx
On 10/26/07, Dario Ciccarone (dciccaro) <dciccaro_at_cisco.com> wrote:
> Hm. 10.10.209.18 *could be* the network address for subnet
> 10.10.10.209.108/30 - hosts being .109 and .110, broadcast .111 - still
> wouldn't explain why .2 is replying. Funny.
>
> Got the whole packet capture for this? The ICMP echo request should
> include the whole content of the payload section of the ICMP echo
> request. Can you add some payload and see what you get back ? see if it
> also changes the data ?
>
> I would theorized .2 has the wrong network mask for the subnet, the
> router for .108/30 is translating the ping to a subnet-level broadcast
> and .2 is replying - but using .30 implies a P2P link, not a broadcast
> medium w/ multiple hosts on it . . .
>
>
> Dario
>
>
> > -----Original Message-----
> > From: nmap-dev-bounces_at_insecure.org
> > [mailto:nmap-dev-bounces_at_insecure.org] On Behalf Of Fyodor
> > Sent: Thursday, October 25, 2007 5:23 PM
> > To: Swapnali
> > Cc: nmap-dev_at_insecure.org
> > Subject: Re: Nmap says Host down when actually host is up.
> >
> > On Thu, Oct 25, 2007 at 09:08:05AM -0500, Swapnali wrote:
> > > Following is verbose output.
> > >
> > > Nmap says Host 10.10.209.108 seems to be a subnet broadcast address
> > > (returned 1 extra pings)
> > >
> > > D:\>nmap -sP -vv --packet-trace 10.10.209.108
> > >
> > > Starting Nmap 4.20 ( http://insecure.org ) at 2007-10-23
> > 08:40 Central
> > > Daylight
> > > Time
> > > SENT ( 0.2340s) ICMP 10.205.42.40 > 10.10.209.108 Echo request
> > > (type=8/code=0) ttl=56 id=10663 iplen=28
> > > RCVD (0.2660s) ICMP 10.204.100.2 > 10.205.42.40 Echo reply
> > (type=0/code=0)
> > > ttl=249 id=10663 iplen=28
> >
> > Are you sure this host is really up? If so, it is strange that it is
> > replying to the ping packet from a different IP than the one the ping
> > was sent to. I normally only see that with subnet-directed broadcast
> > addresses, so Nmap does not treat the machine as being up unless it
> > receives the response from the same address it sent to. It is also
> > interesting that this target host apparently didn't reply to the port
> > 80 request. Again, are you sure it is actually up? What OS is it
> > running?
> >
> > Does anyone know if the RFC even allows a machine receiving an ICMP
> > echo request to respond from a different IP address? I doubt that is
> > allowed, but I'm not certain.
> >
> > Cheers,
> > -F
> >
> > _______________________________________________
> > Sent through the nmap-dev mailing list
> > http://cgi.insecure.org/mailman/listinfo/nmap-dev
> > Archived at http://SecLists.Org
> >
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://SecLists.Org
>
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Received on Oct 25 2007
Intro
