On 12/20/07, Lionel Cons <lionel.cons_at_cern.ch> wrote:
> I've tried to use the PCAP functions in NSE and it seems that there is
> a problem with the BPF handling.
>
> I did specify a correct BPF string and a dummy hash function
> (returning ""), in the hope that the BPF was enough to ignore unwanted
> packets. Here is my code:
>
> local callback = function(packetsz, layer2, layer3)
> return ""
> end
>
> pcap:pcap_open(host.interface, 96, 0, callback,
> string.format("udp and src port 123 and src host %s", host.ip))
>
> However, when scanning several hosts in parallel, some script
> instances received packets that should have been rejected by the BPF.
Well, it seems that your script is going to open one pcap descriptor
for every scanned host, which is not very efficient.
I'd suggest to code like this:
-- the key is source host field of ip packet. ie 12-15th byte of layer3 (ip)
pcap_callback = function(packetsz, layer2, layer3)
return string.sub(layer3, 12+1, 15+1) -- indexes begin with 1 (not 0)
end
...
pcap:pcap_open(host.interface, 96, 0, pcap_callback, "udp and
src port 123")
pcap:set_timeout(5000)
...
pcap:pcap_register(host.bin_ip)
Maybe my full example could help you:
http://ai.pjwstk.edu.pl/~majek/private/nmap/nse-pcap-u2/partial/pcap-example.nse
The result looks like this:
Host script results:
|_ PCAP example: packet got! (src host 89.171.64.43) packet:4500002.....
Nice to hear that someone's interested in pcap-nse :)
Marek Majkowski
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Received on Dec 20 2007
Intro
