Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: nmap sending encapsulated packets
From: "Mike Lude" <mlude () pacbell net>
Date: Wed, 02 Apr 2008 18:52:25 -0700


Actually, I just fired up zenmap and took one of its canned scans 
("operating system detection"), but just about everything I try ends 
up sending these encapsulated packets. I don't think that it's 
anything special that I'm doing.

Let me know if I can help debug things.


On 2 Apr 2008 at 18:51, David Fifield wrote:

Date sent:              Wed, 2 Apr 2008 18:51:24 -0600
From:                   David Fifield <david () bamsoftware com>
To:                     nmap-dev () insecure org
Subject:                Re: nmap sending encapsulated packets

On Wed, Apr 02, 2008 at 06:51:28PM -0500, Kris Katterjohn wrote:
Hash: SHA1

Mike Lude wrote:
Now with almost any scan I do (for example, 
nmap -T Aggressive -O -v 
it says that it can't find the host, and when I add the suggested
-PN parameter it lists all ports as filtered, even though I have a
perfectly accessible webserver running on the host to be scanned.

So, I break out wireshark to see what's going on, and trace what
nmap is sending and what I am receiving at the host. Every single
outgoing packet is encapsulated, with a protocol of 0xFF. Here's a
hex dump of the first packet sent:

0000  9c f4 20 00 03 00 03 00  03 00 00 00 08 00 45 00   
0010  00 3c 94 91 00 00 80 ff  ed 8c c0 a8 9b 3d c0 a8   
0020  9b 16 45 00 00 28 71 62  00 00 2c 06 65 c9 c0 a8   
0030  9b 3d c0 a8 9b 16 d3 0d  00 50 79 f3 1a 0a 00 00   
0040  42 ba 50 10 04 00 4a 1a  00 00                     

This matches exactly with what I see on the host being scanned.

Hmm.. I don't know; hopefully somebody else on this list can say
something definitive.

Not just an unrecognized protocol, but if I'm not mistaken protocol
0xFF should never actually be sent over a network.  I think the old
hack (1980's) for sending raw IP packets w/headers involved patching
the kernel and setting the socket() protocol field to 0xFF since it
should never be used for anything.

Wow, Kris, thanks for refreshing my memory. I've seen this before. I
see it when I use --send-ip on Windows. Mike, are you using that
option? Nmap prints a warning in that case. If you're not, it seems
Nmap is acting as if you are, and we need to check it out.

255 is the numerical value of IPPROTO_RAW, which is usually a special
code that means to create a raw socket. I guess when Microsoft
disabled raw sockets they just stopped giving this code its magical
meaning, so it's interpreted literally as 255.

David Fifield

Sent through the nmap-dev mailing list
Archived at http://SecLists.Org

Sent through the nmap-dev mailing list
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]