increases the scan dealy with an increase in max_successful_tryno. When I
reverted a bunch of changes in r11651, I removed the moved code, leaving the
scan delay increase nowhere. This puts it back in ultrascan_port_probe_update
where it was before.
Don't make a host the global ping host until it moves to the completed
hosts list, and only change the global ping probe if the new probe is no
worse than the old (according to pingprobe_is_better).
Restore the ping magnifier for host congestion window updates.
Ignore the timing of certain ICMP errors that are likely to be rate
limited and don't change the port or host state. Avoid making timing
pings out of probes that elicit such errors. This used to be done only
for port scans and only at -T4 and above (and didn't prohibit the
creation of timing pings). Now it is done for host discovery too, and at
all timing levels.
Gracefully handle updates from the recent past in RateMeter. Doesn't
affect performance, but avoids a rare assertion failure.
script event: start, finish, timeout, and error. The file name is now stored as
a std::string in struct thread_record so we have it when we don't have access
to the thread's environment.
num_probes_active == 0 in HostScanStats::completed. The reason for this is
fairly subtle and I didn't realize it at first: We have to make sure there are
no active probes because once in the completed list, probes don't time out.
Probes that are active stay active in the count. If the congestion window ever
falls below the number of these active probes, the program will hang waiting
for them to time out.
We could get away with this in the case of up hosts, because we call
HostScanStats::destroyAllOutstandingProbes in that case. We could do that in
the down case too, but that would prohibit a down host from being found up
later on. That's currently a matter of some luck; we don't keep sending probes
after a host is down but will accept replies to any other probes that have
already been sent.
source address didn't match the target address. Fyodor correctly pointed out
that this is wrong for UDP scans, when we need to slow down for a firewall
sending unreachables to know which probes don't elicit one. I'm going to try
something a little different in nmap-perf.
is up or down, we can move it to the completed list, regardless of any active
probes. However I can imagine changing this so that we move it when it is found
up, or when it is found down and there are no probes left to send. That would
give a down host a chance to become up with a different probe later on.
checking if a pingprobe has been set. We always use PORT_UNKNOWN during host
discovery (rather than HOST_UP or HOST_DOWN) to avoid conflicts with other
PORT_* constants. See the log for r8784.
num_probes_outstanding() == 0. The active probes are probes that haven't timed
out; the outstanding probes includes those and some timed-out probes. When a
host makes it to the completed list with outstanding probes, it is unlikely
they will ever be removed, so we weren't sending any global pings in some
cases. A host only moves to the completed list with it has no active probes,
and any active probes it has after that are global pings.
Also remove only timed-out ping probes from the ping host. All other probes are
timed out but waiting for a response.
me) in r8784 when I made the change to retain ping probes between ping scanning
and port scanning.
It only gets set during host discovery scans, because that's how it was before,
but it might be advantageous to set it during port scans as well.
target. In my testing, TCP scanning certain hosts, other hosts send back ICMP
destination unreachables (admin prohibited) for some ports (the Microsoft
ports). If that's the only response we got from a host, we would make it the
timing ping probe. But the admin-prohibiteds come back at some very slow rate,
much slower than the 1.25/s ping interval. So most of them are dropped, keeping
the congestion window perpetually at 1 and slowly increasing the scan delay. In
a -F scan these hosts could take over twice as long as any other host.
I also put in some missing adjust_timing arguments to the host and ping update
functions whenever adjust_timing could be false (the default is true). I think
those were just oversights. I also made it so that we don't select a new ping
probe when adjust_timing is false; there's no point sending ping probes whose
responses we're going to ignore.
o When a system route can't be matched up directly with an interface
by comparing addresses, Nmap now tries to match the route through
another route. This helps for instance with a PPP connection where
the default route's gateway address is routed through a different
route, the one associated with the address of the PPP device. The
problem would show itself as an inability to scan through the
default route and the error message
WARNING: Unable to find appropriate interface for system route to ...
