mailing list archives
Re: Minor change to "Chapter 8. Remote OS Detection"
From: Kris Katterjohn <katterjohn () gmail com>
Date: Sat, 07 May 2011 10:42:13 -0500
-----BEGIN PGP SIGNED MESSAGE-----
On 05/07/2011 05:13 AM, Luis MartinGarcia. wrote:
Current version of "Chapter 8. Remote OS Detection" says:
"That length varies by implementation because they are allowed to choose
how much data from the original probe to include, as long as they meet
the minimum RFC 792 requirement. That requirement is to include the
original IP header and at least eight bytes of data."
I've been reading RFC 792, and the sentence above is not correct.
Nowhere in the RFC it says that they are allowed to choose how much data
from the original probe to include. I know implementations do what they
want, but in theory, they should only include the original IP header
plus the next 64 bits of data. This is why I suggest re-writing the
sentence to something like the following:
"That length varies because, although RFC 792 requires the inclusion of
the original IP header plus the next 8 octets of data, some
implementations include the whole datagram or more than 8 bytes of its
I attach a patch for this, although some native English speaker may want
to do a bit of rewording.
Section 3.2.2 of RFC 1122 (Requirements for Internet Hosts):
"Every ICMP error message includes the Internet header and at
least the first 8 data octets of the datagram that triggered
the error; more than 8 octets MAY be sent; this header and data
MUST be unchanged from the received datagram."
This RFC updates and corrects some details in previous RFCs like 792 and 793,
and is the one implementations would follow for things like this, so just
changing the RFC number in Ch8 would be more accurate.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/