Re: [PATCH] nmap-service-probes: Misc database corrections, printer additions

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 16 Jul 2009 08:53:21 -0700
Aaron Leininger <rilian4 () hotmail com> wrote:

> > > I changed the probe in my script to end w/ "\n" instead of "\r\n"
> > > as it seems to elicit a better response from certain printers. I
> > > found that certain printers that appeared non-responsive will get
> > > a response if I wait long enough. The printer I was testing
> > > against seems to require 12 seconds to respond to @PJL INFO
> > > STATUS and @PJL INFO ID probes via NSE but will do so in under 3
> > > seconds via ncat.
> >
> > Hmm...there must be something different between what you're doing
> > with NSE vs Netcat (or the client machine, or something).  As some
> > folks have suggested, you may want to watch both interactions in
> > Wireshark and compare them.
>
> I figured I must be doing something different as well but my data
> dumps seem to show otherwise. This is a hexdump of the probe as sent
> through ncat (which gets a response every time in less than 3 seconds)
>
> [0000]   40 50 4A 4C 20 49 4E 46   4F 20 53 54 41 54 55 53   @PJL INF
> O STATUS [0010]
> 0A                                                                     .
>
> Next for comparison is NSE's dump (using -d and --script-trace
> options) of the probe it sent from my script: 00000000: 40 50 4a 4c
> 20 49 4e 46 4f 20 53 54 41 54 55 53 @PJL INFO STATUS
>
> 00000010: 0a
>
>
> They are byte for byte exactly the same and yet NSE needs close to
> 12s to get the same response that ncat gets in 2-3s. At least when I
> modified the probe in my latest version (the one posted to this list
> yesterday) to use \n instead of \r\n, I was consistently getting
> results from this printer, even if slow ones. 
>
> If anyone has any further insights on this, please let me know. 
>
> > The vast majority of script runs are without any extra options, so I
> > think it is best to default to a safe timeout (waiting long enough
> > for even the slow printers), and then if you add an option it can
> > be used to speed things up for people who only care about the
> > relatively fast HP printers.
>
> Works for me. I'll leave the default as is for now...which by the way
> was 15s not 12s. I mistyped that yesterday...the probe I was sending
> was responding in about 12s so the number got stuck in my head... 
>
> Aaron


A random thought just popped into my head.  Is Ncat closing it's half
of the connection right after the data is transmitted?  Check for a FIN
initiated by Ncat and corresponding ACK from the printer.  This could
cause the printer to immediately recognize (via EOF) that the command
is done.  I suspect NSE is leaving the connection open and the printer
is waiting for 12 seconds for more data before acting on the command.

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)

iEYEARECAAYFAkpf0SYACgkQqaGPzAsl94J3QACfSFRD2eMve6OH6qFri5qf9Qxh
+toAnj4h/dvSMcHWzB/54Q8JWJa0Jfp3
=a0QU
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org