Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: "sniffer" category
From: Patrik Karlsson <patrik () cqure net>
Date: Wed, 9 Nov 2011 00:27:20 +0100

On Wed, Nov 9, 2011 at 12:01 AM, David Fifield <david () bamsoftware com>wrote:

On Tue, Nov 08, 2011 at 09:43:30PM +0000, Luis MartinGarcia. wrote:
On 11/08/2011 08:27 PM, David Fifield wrote:
On Tue, Nov 08, 2011 at 05:23:52PM +0100, Patrik Karlsson wrote:
I'll check the broadcast-listener script for this as well. In regards
these sniffing scripts I would like to create the "sniffer" category
place them in there, rather than in the broadcast category as we've
discussed earlier.

I guess that the new category needs to be documented somewhere in
to changing the category in the scripts? Where would that place be,
and is
"sniffer" the category name to go with?
Is "sniffer" really what we want to express? It seems to me what people
want is a category for "scripts that run on the whole network with a
fixed delay that I don't care about when I'm just scanning a few
I think that people use "broadcast" with that meaning now, mostly in
form "and not broadcast". So "broadcast" might not be the right name
the category, but breaking out a separate "sniffer" is just going to
make people change to "and not broadcast and not sniffer".

I'm not entirely familiar with the current status of NSE scripts but, in
my opinion, it'd be good idea to group all those scripts that gather
information passively by capturing incoming packets. However, I'd name
the category "passive", not "sniffer". I think "passive" scripts can be
quite useful in penetration testing when one does not want to inject
packets into the network. We could perhaps define the "active" alias as
"all and not passive". Does this make sense?

"passive" is not a good name. Some of these scripts do in fact send
traffic (broadcast-dns-service-discovery is an example). What makes
these scripts different is that they do not target the hosts you give on
the command line. When I scan scanme.nmap.org with --script=safe, I
don't want a bunch of scripts telling me about things on my local
network. I really think that's what this is about, not
unicast/broadcast, sniffer, or active/passive. If the "broadcast" name
really bothers people, can we think of a name that reflects what this
category is actually used for?

David Fifield

Well, I think the broadcast name is good for the category of scripts that
actually do send broadcast and multicast traffic.
However, there are at least two broadcast-listener and targets-sniffer that
are passive as they don't send any data.
These are the ones I was thinking moving to a new category, as they differ
from the rest of the broadcast scripts.
But, maybe we should wait until we get more of them until we do, I don't
know ....

Patrik Karlsson
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]