Handle ICMP Time Exceeded messages in scan engine

DiabloHorn on #nmap noticed that Nmap was ignoring ICMP Time Exceeded messages while trying to map firewall rules using --ttl. get_pcap_result() was handling ICMP type 3 (Destination Unreachable), but not type 11 (Time Exceeded). Now ports that elicit this response will be marked filtered (to be consistent with existing Connect scan behavior) and will report time-exceeded from (IP) for the reason. This was not a common issue, since host discovery already accounted for it. Port scans would only be affected when skipping host discovery.
2025-12-10 09:49:05 +00:00 · 2013-03-28 21:11:45 +00:00
parent 97c5aa0f0c
commit 43f5db6ce4
1 changed files with 6 additions and 1 deletions
--- a/scan_engine.cc
+++ b/scan_engine.cc
@@ -4524,7 +4524,7 @@ static bool get_pcap_result(UltraScanInfo *USI, struct timeval *stime) {

      if (datalen < 8)
        continue;
-      if (icmp->icmp_type != 3)
+      if (icmp->icmp_type != 3 && icmp->icmp_type != 11)
        continue;

      encaps_len = datalen - 8;
@@ -4637,6 +4637,11 @@ static bool get_pcap_result(UltraScanInfo *USI, struct timeval *stime) {
            break;
          goodone = true;
        }
+        else if (icmp->icmp_type == 11) { /* ICMP Time Exceeded */
+          newstate = PORT_FILTERED;
+          current_reason = icmp_to_reason(hdr.proto, icmp->icmp_type, icmp->icmp_code);
+          goodone = true;
+        }
      }
    } else if (hdr.proto == IPPROTO_ICMPV6) {
      const void *encaps_data;