Re[2]: small problem

[Alexey GERASIMOV <avgera () mail ru>]

Hi All!

Saturday, April 3, 2004, 5:13:50 AM, you wrote:

F> Apparently upgrading to Nmap 3.50 solved the problem for BLAZON (see
F> below).  So anyone experiencing this "Host seems down" problem against
F> every host should try upgrading.  If the problem persists, let us know.

The problem is still persist. I would like to describe my small
investigation.

I have two computers at home, both with NICs, IP address are
192.168.0.1 and 192.168.0.4.

Computer with address 192.168.0.4 will be the test computer.

Win XP Prof SP1 with all security patches is installed to this
computer, Win 2000 Server SP3 has been installed to this computer
additionally. This computer have modem also for connection to Internet
using PPP.

Network monitor driver and WinPcap 3.0 has been installed.

So, I boot this computer to XP, dial-up to provider and start tests.

First of all, check another home computer:

-------------

nmap 192.168.0.1

Starting nmap 3.50 ( http://www.insecure.org/nmap ) at 2004-04-04 22:04 ¦юёъютёъюх тЁхь  (ыхЄю)
Interesting ports on HOME1 (192.168.0.1):
(The 1645 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE
... (I couldn't show all open ports, sorry :-))
1720/tcp open  H.323/Q.931
...

Nmap run completed -- 1 IP address (1 host up) scanned in 0.735 seconds

-------------


Ok, it works.

Check any computer in Internet:

-------------

nmap www.host.com -e ppp0

Starting nmap 3.50 ( http://www.insecure.org/nmap ) at 2004-04-04 22:10 ¦юёъютёъюх тЁхь  (ыхЄю)
Note: Host seems down. If it is really up, but blocking our ping probes, try -P0
Nmap run completed -- 1 IP address (0 hosts up) scanned in 24.093 seconds

------------



No, it isn't work. What about interfaces types?

-----------------------------------

nmap --win_trace --win_list_interface

***WinIP***  initializing if tables
***WinIP***  if tables complete :)
***WinIP***  trying to initialize winpcap 2.1
***WinIP***  winpcap is present
***WinIP***  testing for raw sockets
***WinIP***  rawsock is available
***WinIP***  reading winpcap interface list
pcap device:  \Device\Packet_{B5F0AD35-E87E-4F5D-AFCB-3639CDD773BB}
 result:       physaddr (0x0020ed5ece29) matches eth0
pcap device:  \Device\Packet_NdisWanIp
 result:      no match (physaddr = 0x425720524153)
pcap device:  \Device\Packet_NdisWanBh
 result:      no match (physaddr = 0x425720524153)
***WinIP***  o.isr00t = 1
Available interfaces:

Name        Raw send  Raw recieve  IP
loopback0   SOCK_RAW  SOCK_RAW     127.0.0.1
eth0        SOCK_RAW  winpcap      192.168.0.4
ppp0        SOCK_RAW  SOCK_RAW     my.ppp0.ip.address

------------------------------------

Well, ppp0 captures through raw sockets, eth0 captures through Pcap.
Seems to be right because as I know Pcap couldn't work with demand-on
connections. But could nmap work with eth0 using raw sockets?

------------------------------------

nmap 192.168.0.1 --win_nopcap -e eth0


Starting nmap 3.50 ( http://www.insecure.org/nmap ) at 2004-04-04 22:06 ¦юёъютёъюх тЁхь  (ыхЄю)
Note: Host seems down. If it is really up, but blocking our ping probes, try -P0
Nmap run completed -- 1 IP address (0 hosts up) scanned in 24.047 seconds

------------------------------------

No! Nmap couldn't work using raw sockets at all, using any interfaces!
But it's under XPProfSP1. What about Windows 2000?

Reboot the computer, go to the Windows 2000 Server and run the same
command:

------------------------------------

nmap 192.168.0.1 --win_nopcap -e eth0

Starting nmap 3.50 ( http://www.insecure.org/nmap ) at 2004-04-04 22:41 Russian Daylight Time
Interesting ports on AVGERA (192.168.0.1):
PORT     STATE SERVICE
.... (I couldn't show all ports, sorry :-))
1720/tcp open  H.323/Q.931
....

Nmap run completed -- 1 IP address (1 host up) scanned in 0.891 seconds

------------------------------------


It works perfectly!


So, the problem is in cooperation between network monitor driver in XP
and nmap. Well, it means that we should test another application which
use network monitor driver for capturing. I have the distributive of
TrafMeter (www.tmeter.ru) and test how this application collect the
data using ppp through netwok monitor driver. I install this
application and start to collect the traffic. It works perfectly!

So, I suppose the problem is in the feature of methods of traffic
capture using raw sockets inside source code of nmap - they works
under Win2000 but not under WinXP. May be an experts-programmers try
to debug this part of nmap? Unfortunately I'm not an expert in
programming, but if I will try to do it if I have enough free time
(but I think it's unlikely).

---
Avgera
---

No computer - no trouble!



---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org