Re: Status Report #16 of 17

[Jack Grahl <mnvl16 () yahoo co uk>]

I think that for each target there should be a list of IPs which returned ICMP messages for that target. We do need to 
lookup those IPs, but a host which returns an error message is different to us from a target.

If scanning a network, there could be lots of  ICMP errors returned by the same host, for different hosts. So you need 
a separate count for each target, I think.



----- Original Message ----
> From: Luis M. <luis.mgarc () gmail com>
> To: Jack Grahl <mnvl16 () yahoo co uk>; nmap-dev <nmap-dev () insecure org>
> Sent: Tuesday, 11 August, 2009 18:36:09
> Subject: Re: Status Report #16 of 17
>
> Hi Jack,
>
> Thanks a lot for looking into the problem. However, the thing is a bit
> complicated. On one hand we have to allow ICMP packets from any host to
> pass the BPF filter because we may get a destination unreachable message
> from any box in the network. On the other hand, we want to keep per-IP
> statistics and these probably include having stats from all the hosts
> that send replies (we probably want to do reverse DNS resolution for
> hosts that were not our original targets) .
>
> If i got it right, your patch tries to determine the destination address
> that the original IP datagram had. That is a good idea but I don't think
> we should count dest unreachable msgs sent by other hosts as if we had
> received them from our target. That would give us the false idea that
> the target is actually replying to our probes.
>
> What I think we should do (and I'm telling you because I'd like to know
> your opinion on that) is have a separate target array so whenever we
> receive an ICMP error message from a host different than our original
> targets, we add an entry for it and update it's packet count. Does this
> make sense?
>
> Also, we could use your getIcmpDestAddrFromPacket() function to add new
> information to the newly created host like which destination was it that
> was unreachable, etc. (Well, I'll have to modify your code to include
> ipv6 support and add stricter bound checks as IPv4 headers may have
> options so we cannot always get the original dest IP from offset pkt+44).
>
> Please let me know what you think.
>
> Again, thanks for your help.
>
> Regards,
>
> Luis.
>
>
>
>
>
>
>
>
>
>
> Jack Grahl wrote:
> > Regarding detecting the right ICMP packets. The following patch worked for me, 
> but with one problem. When printing stats at the end, every ICMP packet, not 
> just the relevant ones, was included in the RCVD stats for all targets combined, 
> although the individual host stats were correct. This is because addRecvPacket 
> is called in line 1613 just above the part I changed, regardless of the packet.
> > I'm not sure how best to fix that, IF this is right solution.
> >
> > Jack
> >
> > --- nping/nping.cc      2009-08-11 00:00:33.000000000 +0100
> > +++ nping-build/nping.cc        2009-08-09 11:54:14.000000000 +0100
> > @@ -174,6 +174,7 @@
> >  int do_safe_checks();
> >  void test_stuff();
> >  struct sockaddr_storage *getSrcSockAddrFromPacket(u8 *pkt, size_t pktLen);
> > +struct sockaddr_storage *getIcmpDestAddrFromPacket(u8 *pkt, size_t pktLen);
> >  u16 *getSrcPortFromPacket(u8 *pkt, size_t pktLen);
> >  u8 *getTCPheaderLocation(u8 *pkt, size_t pktLen);
> >  
> > @@ -1619,7 +1620,11 @@
> >                          trg->setProbeRecvTCP(*prt, 0);
> >                  }
> >              }else if (o.getMode()==ICMP){
> > +             if(trg != NULL){
> >                  trg->setProbeRecvICMP(0, 0);
> > +             }else if (trg=o.targets.findTarget( 
> getIcmpDestAddrFromPacket((u8*)packet, packetlen))){
> > +               trg->setProbeRecvICMP(0, 0);
> > +             }
> >              }
> >         break;
> >  
> > @@ -1857,6 +1862,25 @@
> >  } /* End of getSrcSockAddrFromPacket() */
> >  
> >  
> > +/** @warning Returns pointer to an internal static buffer */
> > +struct sockaddr_storage *getIcmpDestAddrFromPacket(u8 *pkt, size_t pktLen){
> > +
> > +static struct sockaddr_storage ss;
> > +struct sockaddr_in *s_ip4=(struct sockaddr_in *)&ss;
> > +struct ip *i4=(struct ip*)pkt;
> > +memset(&ss, 0, sizeof(struct sockaddr_storage));
> > +
> > +  if(pkt==NULL || pktLen < 48)
> > +    return NULL;
> > +
> > +    s_ip4->sin_family=AF_INET;
> > +    memcpy(&(s_ip4->sin_addr.s_addr), pkt+44, 4);
> > +
> > +  return &ss;
> > +
> >
> >
> >      
> >
> > _______________________________________________
> > Sent through the nmap-dev mailing list
> > http://cgi.insecure.org/mailman/listinfo/nmap-dev
> > Archived at http://SecLists.Org
> >
> >  



      

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org