Nmap Development mailing list archives

Re: MAC replies

From: brett () custom-tech net (Brett Campbell)
Date: Tue, 19 Oct 2004 15:19:56 -0700

On Tue, Oct 19, 2004 at 09:17:43AM -0400, Adam Jacob Muller wrote:

Now that nmap has the ability to log MAC addresses does it use the fact 
that it got an arp reply to establish that the host is in fact up, my 
idea here basically is that an ARP reply is basically the only sure way 
to determine if a host is up or not, if you don't get one, then that 
host must be down, if you do in 99.99% of cases it is up (feel free to 
correct me), so does, or should nmap use a positive ARP reply to say 
that the host is up?
On top of that, ARP replies are also much faster than scanning all 
ports on closed hosts (-P0).


ARP is not a very reliable source of authenticity.  Things like tarpits
and proxy-arp make this approach unfeasible.  And some IDS will be 
alarmed by a flood of 200+ ARP requests in < 1s.

Where is it written in the Constitution, in what article or section is 
it contained, that you may take children from their parents and parents 
from their children, and compel them to fight the battles of any war in 
which the folly and wickedness of the government may engage itself? 
Under what concealment has this power lain hidden, which now for the 
first time comes forth, with a tremendous and baleful aspect, to 
trample down and destroy the dearest right of personal liberty? Who 
will show me any Constitutional injunction which makes it the duty of 
the American people to surrender everything valuable in life, and even 
life, itself, whenever the purposes of an ambitious and mischievous 
government may require it? . . . A free government with an uncontrolled 
power of military conscription is the most ridiculous and abominable 
contradiction and nonsense that ever entered into the heads of men.
-Daniel Webster


btw:
http://www.ietf.org/rfc/rfc1855.txt?number=1855  (see the top of page 4)

 - -B

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org

Current thread:

MAC replies Adam Jacob Muller (Oct 19)
- Re: MAC replies mark (Oct 19)
  - RE: MAC replies Alex R (Oct 19)
- Re: MAC replies Brett Campbell (Oct 19)
  - Re: MAC replies Tristan Seligmann (Oct 19)
- Re: MAC replies Fyodor (Oct 21)
  - Re: MAC replies doug (Oct 21)