Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: nmap vs multiple IP address on one NIC
From: David Fifield <david () bamsoftware com>
Date: Mon, 19 Nov 2007 23:25:06 -0700

On Wed, Oct 31, 2007 at 09:41:27AM +0300, preacherandrew () mail ru wrote:
On Tue, Oct 23, 2007, Fyodor wrote:
On Fri, Oct 19, 2007 at 04:36:45PM +0400, preacherandrew () mail ru wrote:
Hi, Fyodor.

My config:
Windows 2000; one NIC; in TCP/IP properties set multiple IP addresses

Hi Andrew.  Thanks for your report.  Maybe we need to move tne
entry->>intf_len assignment.  Would you please email your report to
nmap-dev () insecure org so that more people have a chance to look at it?

Hi Fyodor. I have send my report to nmap-dev () insecure org  But may be
problem is wider. I try to fix the problem moving
memset(entry, 0, sizeof(*entry));
from "_ifrow_to_entry" function and code fragment "set aliases" is
executed. But this fix don't help me in my case ("multiple IP addresses on one
network card").
Point is that nmap use only one from addresses
returned by GetIpAddrTable. Becase that nmap's rerults may be inadequate.

For example:
host has two IP adresses on one network card - and Default router -
1) I run "nmap --iflist".
2) GetIpAddrTable returns addresses is such order:,
2) Nmap take into account only first address returned by GetIpAddrTable-
3) Then nmap try verify default router using this address
( This results "WARNING: Unable to find appropriate interface for system
route to" (more precisely lot such warnings - for
almost each entry in "route print"). In reality, default router is ok - it is
reachable from host's other address (, but nmap doesn't take
into account other address.

Thanks for the detailed report. Can you try the attached patch?

I don't know too much about Windows networking. I set up a Windows XP
computer with two IP addresses on different subnets on the same NIC.
This is what nmap --iflist displays with the patch:

Starting Nmap 4.23RC2 ( http://insecure.org ) at 2007-11-19 23:16 Pacific Standard Time
eth0 (eth0) ethernet up 00:D0:59:B7:66:0B
eth0 (eth0) ethernet up 00:D0:59:B7:66:0B
lo0  (lo0)      loopback up

eth0 \Device\NPF_{FBA5E85C-7959-4351-8D7A-09F319B090A7}
lo0  \Device\NPF_GenericDialupAdapter

DST/MASK           DEV  GATEWAY   eth0   lo0   lo0   eth0 eth0      eth0      eth0        lo0        eth0          eth0

Is it weird to have both interfaces called "eth0" even though one is an
alias of the other? This matches what happens on Linux except that Linux
provides suffixed names like eth0:1. Anyway this patch makes port scans
on either subnet work for me.

Gianluca, can you try this patch too? There's a slight chance that it
will have an effect on the problem you've observed in

David Fifield

Attachment: intf-win.diff

Sent through the nmap-dev mailing list
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]