|
Nmap Development
mailing list archives
Off by one in ICMP distance calculation?
From: David Fifield <david () bamsoftware com>
Date: Thu, 15 Sep 2011 09:48:51 -0700
During OS detection, we calculate distance by subtracting the
encapsulated TTL in an ICMP error reply from the TTL we set originally
when sending the probe:
/* Count hop count */
if (hss->distance == -1) {
hss->distance = this->udpttl - ip2->ip_ttl;
}
I think this is off by one: it reports one less than the actual
distance. I added this debugging line:
log_write(LOG_PLAIN, "TTL distance: %d - %d == %d\n", this->udpttl, ip2->ip_ttl, this->udpttl - ip2->ip_ttl);
and I tried running with traceroute. Here's a remote host:
TTL distance: 56 - 46 == 10
Network Distance: 11 hops
TRACEROUTE (using port 53/tcp)
HOP RTT ADDRESS
1 6.11 ms 192.168.0.1
...
9 29.23 ms 10gigabitethernet1-1.core1.fmt1.he.net (72.52.92.109)
10 14.23 ms linode-llc.10gigabitethernet2-3.core1.fmt1.he.net (64.62.250.6)
11 17.00 ms li86-221.members.linode.com (74.207.244.221)
and here's a directly connected host:
TTL distance: 61 - 61 == 0
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.23 ms 192.168.0.3
Directly connected hosts are already treated as a special case and set
to distance 1, so you would only notice the discrepancy against
multiple-hop hosts.
Does anyone else agree that this is off by one?
David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
 By Date 
By Thread
Current thread:
- Off by one in ICMP distance calculation? David Fifield (Sep 15)
|
