mailing list archives
Re: Problem with PCAP in NSE
From: majek04 <majek04+nmap-dev () gmail com>
Date: Thu, 20 Dec 2007 21:20:33 +0100
On 12/20/07, Lionel Cons <lionel.cons () cern ch> wrote:
I've tried to use the PCAP functions in NSE and it seems that there is
a problem with the BPF handling.
I did specify a correct BPF string and a dummy hash function
(returning ""), in the hope that the BPF was enough to ignore unwanted
packets. Here is my code:
local callback = function(packetsz, layer2, layer3)
pcap:pcap_open(host.interface, 96, 0, callback,
string.format("udp and src port 123 and src host %s", host.ip))
However, when scanning several hosts in parallel, some script
instances received packets that should have been rejected by the BPF.
Well, it seems that your script is going to open one pcap descriptor
for every scanned host, which is not very efficient.
I'd suggest to code like this:
-- the key is source host field of ip packet. ie 12-15th byte of layer3 (ip)
pcap_callback = function(packetsz, layer2, layer3)
return string.sub(layer3, 12+1, 15+1) -- indexes begin with 1 (not 0)
pcap:pcap_open(host.interface, 96, 0, pcap_callback, "udp and
src port 123")
Maybe my full example could help you:
The result looks like this:
Host script results:
|_ PCAP example: packet got! (src host 18.104.22.168) packet:4500002.....
Nice to hear that someone's interested in pcap-nse :)
Sent through the nmap-dev mailing list
Archived at http://SecLists.Org