Re: IE.DLI OS detection test

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 12 Mar 2009 15:33:36 -0600
David Fifield <david () bamsoftware com> wrote:

> Hi,
>
> Fyodor noticed that every single reference fingerprint in nmap-os-db
> that had a result of the IE.DLI test had the value S. Documentation
> for that test is here:
>
> http://nmap.org/book/osdetect-methods.html#osdetect-dl
>
> The test measures the length of data returned in the replies to the
> two ICMP echo probes. The documentation says that some implementations
> truncate the data, but that is not supported by the database. I did a
> test:
>
> hping2 --rand-dest --icmp -d 120 --fast --interface eth0 x.x.x.x
>
> and let it run for a while. There were 37461 packets transmitted and
> 1520 packets received. Of those 1520, 1394 were echo replies. All of
> them had len=148, corresponding to an ICMP data length of 120.
>
> I recommend we just remove the test.
>
> David Fifield

Perhaps we just aren't sending enough data?  I don't know if we can
change the probe or add another one but what happens when we send, say,
400 bytes of data?

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkm5hNMACgkQqaGPzAsl94KFrQCgjAS90G+AfXx4vMKem9xUP777
GIAAmgI3N2PhWuwLApFZ0eLCwae2UwQG
=wrj2
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org