mirror of
https://github.com/nmap/nmap.git
synced 2025-12-17 05:09:00 +00:00
8161f16c0e
inconvenient to change separately. The first change fixes a logical error in the storage of timing ping probes. Each target contains a description of a timing ping probe, which is stored in the two members probespec pingprobe; int pingprobe_state; pingprobe is the probe itself, and pingprobe_state is the state of the port that the probe was sent to (PORT_OPEN, PORT_CLOSED, etc.). A change in the state of the port was a criterion used in deciding whether to replace the current ping probe. The problem with this was that pingprobe_state was used to hold a host state, not a port state, during host discovery. Therefore it held a value like HOST_DOWN or HOST_UP. This was fine as long as host discovery and port scanning were separate, but now that timing pings are shared between those phases the states were in confict: HOST_UP = 1 = PORT_CLOSED. THis was fixed by using a value of PORT_UNKNOWN during host discovery. The second change redoes how timing ping probes are replaced. There is now an order of preference for timing ping probe types, defined by the function pingprobe_score (and pingprobe_is_better, which calls it). The order I have defined, from highest preference to lowest, is ARP Raw TCP (not SYN to an open port) UDP, IP protocol, or ICMP Raw TCP (SYN to an open port) TCP connect Anything else The port state is considered only in raw TCP SYN to an open port, which is given a lower preference because of the possibility of SYN flooding. Better ping probes supersede worse ping probes. So in nmap -PS -sA scanme.nmap.org the ping probe will be SYN to port 80 after host discovery, but then will change to ACK to an unfiltered port during port scanning. In nmap -PA -sS scanme.nmap.org the ping probe will be ACK to port 80 after host discovery and will remain that way during port scanning because SYN to an open port is a worse ping probe. Run with -d2 to see when timing pings change.
196 KiB
196 KiB