mailing list archives
Re: Exp Features: -oP (pcap output format) and --version-ports
From: Kris Katterjohn <katterjohn () gmail com>
Date: Wed, 14 May 2008 21:56:18 -0500
-----BEGIN PGP SIGNED MESSAGE-----
On 15/05/2008 00:05, Kris Katterjohn wrote:
But besides all of that, do you (or anybody) think the functionality
as-is would be good for Nmap proper? I find the ability to log just the
raw packets quite useful, and any ideas for connect() logging can be
added later if implemented.
I have found it quite useful too, on occasions it's been really useful
for getting a better understanding of a result from OS detection. I
think it would be a killer feature if it could capture more - and it
might be that including it now would generate enough interest to move it
in that direction.
Great, I'm glad you like it. Hopefully we can find an elegant solution
for logging more information, because that would definitely be better.
I've been meaning to look into why I only see MAC Addresses in ARP
packets, but I haven't got around to that yet. Is that by design?
I needed a single datalink type to be able to log ARP and IP packets
together, so I eventually settled on DLT_EN10MB (Ethernet).
ARP packets are built/sent and received with an Ethernet header, so the
MAC addresses get logged with no problem.
However, when IP packets are sent or received using raw sockets, this
information in unavailable, but I still need to provide something since
I'm using the Ethernet format. I zero the hardware addresses and set
the ethertype to IP (0x0800). This is all portable because it's all
just in malloc()'d space rather than some structs.
When sending IP packets with libdnet, the MAC address information is
available and should get logged. I accidentally left this out, but I
have committed a fix in my branch. Thanks for bringing this to my
Again, all of this is portable because it's all built and manipulated in
malloc()'d space. The "magic" for timing information and ethernet
header data is in log_pcap() in output.cc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
Sent through the nmap-dev mailing list
Archived at http://SecLists.Org