mirror of
https://github.com/nmap/nmap.git
synced 2026-01-05 06:09:00 +00:00
b0976983bc
test that was applied to packets returned in ICMP error messages. Because some operating systems modify the IP ID outside of Nmap's control, the apply_ipid_match function had a built-in heuristic whereby it would deactivate itself (always return true) if this seemed to be happening. What this meant in practice was that every time a successful match was made, a counter was incremented, and if the ratio of successful matches to successful matches was over 80%, IP ID matching was enforced. The matching and heuristic could cause relevant probes to be dropped in some cases. See http://seclists.org/nmap-dev/2009/q2/665 for an example of this and discussion. The IP ID match was always done in combination with other tests; so even without it we are still dealing with a relevant probe. The IP ID distinction could at best distinguish between retransmissions of the same probe, and it was not necessary for that in every case, such as with most TCP probes where we can use the SEQ field. I thought this small benefit was not worth the risk of potentially losing replies that we care about.
Here is some documentation for Nmap, but these files are much less comprehensive than what you'll find at the actual Nmap documentation site ( http://nmap.org ).