Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: nmap: [REGRESSION 5.00-3 -> 6.00-0.3] -sP fails with "nexthost: failed to determine route to X.X.X.X"
From: David Fifield <david () bamsoftware com>
Date: Tue, 6 Aug 2013 17:08:14 -0700

On Tue, Aug 06, 2013 at 10:30:26AM +0300, Timo Juhani Lindfors wrote:
David Fifield <david () bamsoftware com> writes:
Another thing to try: The --route-dst option makes Nmap make a routing
decision, without sending pings or any other traffic. Try something like
    sudo nmap --route-dst
and see if it increases the number of ARP entries in the cache. If so,
we will have the problem localized closely.

It does:

$ for i in $(seq 20 30); do sudo nmap --route-dst 10.7.24.$i > /dev/null 2>&1; ip ntable show dev eth0 name arp_cache 
| grep refcnt; done
    refcnt 17 reachable 26920 base_reachable 30000 retrans 1000 
    refcnt 18 reachable 26920 base_reachable 30000 retrans 1000 
    refcnt 19 reachable 26920 base_reachable 30000 retrans 1000 
    refcnt 20 reachable 26920 base_reachable 30000 retrans 1000 

Thanks for this. I think I have traced down the commit where it started,
r24413. In this commit, we connect a dummy SOCK_DGRAM socket in order to
find out what the kernel thinks our source address should be. I found
that it is exactly at the call to connect in get_srcaddr that an ARP
cache entry gets added.

You can try reproducing it yourself with this Python program:
        import socket
        import sys
        s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, 0)
        s.connect((sys.argv[1], 1234))
You should see the cache size change when calling this program with
different IP addresses as arguments.

I was able to reproduce the problem on Debian wheezy (Linux 3.2) with
Nmap 6.00 and 6.40. But: I do not get the problem on Debian testing
(currently Linux 3.9) with any version of Nmap.

I don't know the best thing to do here--r24413 fixed another bug, and
newer releases of Linux don't seem to have the problem. Can you think of
other ways to fix it? Perhaps there is a netlink interface to find out
the recommended source address?

A workaround is to use the -S option (source address).

David Fifield
Sent through the dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]