Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Off by one in ICMP distance calculation?
From: David Fifield <david () bamsoftware com>
Date: Thu, 15 Sep 2011 09:48:51 -0700

During OS detection, we calculate distance by subtracting the
encapsulated TTL in an ICMP error reply from the TTL we set originally
when sending the probe:
  /* Count hop count */
  if (hss->distance == -1) {
    hss->distance = this->udpttl - ip2->ip_ttl;
  }
I think this is off by one: it reports one less than the actual
distance. I added this debugging line:
  log_write(LOG_PLAIN, "TTL distance: %d - %d == %d\n", this->udpttl, ip2->ip_ttl, this->udpttl - ip2->ip_ttl);
and I tried running with traceroute. Here's a remote host:
  TTL distance: 56 - 46 == 10
  Network Distance: 11 hops
  TRACEROUTE (using port 53/tcp)
  HOP RTT      ADDRESS
  1   6.11 ms  192.168.0.1
   ...
  9   29.23 ms 10gigabitethernet1-1.core1.fmt1.he.net (72.52.92.109)
  10  14.23 ms linode-llc.10gigabitethernet2-3.core1.fmt1.he.net (64.62.250.6)
  11  17.00 ms li86-221.members.linode.com (74.207.244.221)
and here's a directly connected host:
  TTL distance: 61 - 61 == 0
  Network Distance: 1 hop
  TRACEROUTE
  HOP RTT     ADDRESS
  1   0.23 ms 192.168.0.3

Directly connected hosts are already treated as a special case and set
to distance 1, so you would only notice the discrepancy against
multiple-hop hosts.

Does anyone else agree that this is off by one?

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault