Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: Exp Features: -oP (pcap output format) and --version-ports
From: Kris Katterjohn <katterjohn () gmail com>
Date: Wed, 14 May 2008 21:56:18 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

jah wrote:
On 15/05/2008 00:05, Kris Katterjohn wrote:

But besides all of that, do you (or anybody) think the functionality
as-is would be good for Nmap proper?  I find the ability to log just the
raw packets quite useful, and any ideas for connect() logging can be
added later if implemented.
I have found it quite useful too, on occasions it's been really useful
for getting a better understanding of a result from OS detection.  I
think it would be a killer feature if it could capture more - and it
might be that including it now would generate enough interest to move it
in that direction.

Great, I'm glad you like it.  Hopefully we can find an elegant solution
for logging more information, because that would definitely be better.

I've been meaning to look into why I only see MAC Addresses in ARP
packets, but I haven't got around to that yet.  Is that by design?


I needed a single datalink type to be able to log ARP and IP packets
together, so I eventually settled on DLT_EN10MB (Ethernet).

ARP packets are built/sent and received with an Ethernet header, so the
MAC addresses get logged with no problem.

However, when IP packets are sent or received using raw sockets, this
information in unavailable, but I still need to provide something since
I'm using the Ethernet format.  I zero the hardware addresses and set
the ethertype to IP (0x0800).  This is all portable because it's all
just in malloc()'d space rather than some structs.

When sending IP packets with libdnet, the MAC address information is
available and should get logged.  I accidentally left this out, but I
have committed a fix in my branch.  Thanks for bringing this to my
attention.

Again, all of this is portable because it's all built and manipulated in
 malloc()'d space.  The "magic" for timing information and ethernet
header data is in log_pcap() in output.cc.

Regards,
jah


Thanks again,
Kris Katterjohn

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIVAwUBSCumT/9K37xXYl36AQI9lxAAph1eRyQsZrYK2yOnGNhjNkZ1EZXQEFR2
m3Byxjo2rVdtH5MtM0SeGpmV5cHn10+o6mfLOIYk8re/6bM03ahRI2+rGxn/WQMd
sbJPr7d2L0oqS/bz8gwYzRTUH550AR/735iRTwyUuQ64qEv1Zc3prumEg/KAZfgG
GRpOq7heRKI94DCCSHn+Jl9275PbkVZYcFMMZekVkWk60RBwaJSOSmoK2d0WMsDm
w8CRFUrx6qjv4Cf3V2uI6ODd+sspdNirxYfNOBTcYuWibfulgn38CdowmBuqx5aW
+q2jd7bwmCz8loRHTF7Kw1oE0T65oXLxB5YeYP8aWfZThtHec+QE4vvgYVoDcECx
RRFnnbmvj4ZAmRddAtLHDgHOCF4AVEt80vOngYcZRDsKqmG0WoWzibOH0TmZqKTP
69fcrukQq9VNRTPhNe4K2AmBpoWQY0/BD+F/LxyrTU6dfRCyiKg44Bu/0FSCSWMi
KApc0DiAUUdW0og1edOTUyibI0WIVnFE9Wod3YO7IE1aWD7bJiotYHX2Xi9kip+x
l5B8CNs/0sAvp0QcYSQo9YVcFuWcIkTLc+YZiqiEYlk4bl1wo5o4Mf+DnKR6+jX4
jRLgd5LoWWd9iG+2xwv5UV60KWG3fWkMb1X0zjHSzBaQiGxaIJ6ZjEX/vjoWmkmu
ojPP61ub0x0=
=FLAf
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]