[prev in list] [next in list] [prev in thread] [next in thread]
List: nmap-dev
Subject: Re: OSX - 'no route to host'
From: Brandon Applegate <brandon () burn ! net>
Date: 2011-09-24 18:37:37
Message-ID: alpine.DEB.2.00.1109241411200.16495 () orbital ! burn ! net
[Download RAW message or body]
On Sat, 24 Sep 2011, David Fifield wrote:
> What's your output for "nmap --iflist"?
>
> I have seen OS X creating and destroying routes ephemerally sometimes.
> What happens if you ping the IP address immediately before trying to
> scan it? Does "nmap --iflist" differ immediately after a ping?
>
> David Fifield
>
First - thanks for the reply.
FYI - scanning an individual host seems to work okay. It's the ping scan
(sP) that gets stuck in the middle.
Here's my --iflist - sanitzied.
bash-3.2# nmap --iflist
Starting Nmap 5.51 ( http://nmap.org ) at 2011-09-24 14:12 EDT
************************INTERFACES************************
DEV (SHORT) IP/MASK TYPE UP MTU MAC
lo0 (lo0) 127.0.0.1/8 loopback up 16384
en0 (en0) 192.168.x.x/24 ethernet up 1500 01:02:03:04:05:06
**************************ROUTES**************************
DST/MASK DEV GATEWAY
x.x.x.x/32 en0 192.168.x.x
x.x.x.x/32 en0 192.168.x.x
x.x.x.x/32 en0 192.168.x.x
127.0.0.1/32 lo0 127.0.0.1
192.168.x.x/32 lo0 127.0.0.1
x.x.x.x/32 en0 192.168.x.x
127.0.0.0/8 lo0 127.0.0.1
0.0.0.0/0 en0 192.168.x.x
The x.x.x.x/32s are all the ephemeral cached host routes I think you are
talking about. The ones in this output are for things my machine is
currently talking to. I could be wrong - but isn't this a BSD-ish thing ?
I come from a Linux background - so still getting used to the network nuts
and bolts of OSX. In linux to see this I would have to do something like
'ip route show table cache'
Something I notice - is that nmap --iflist does NOT have a route for my
connected interface. In my case, that would be 192.168.x.x/24.
--iflist does NOT seem to change if I manually try to ping a host
beforehand.
Again - excuse my OSX ignorance - but when I ping a host that doesn't
exist - I get a /32 route entry with a destination of link#x (this is in
'netstat -rnv'). A live host yields it's mac address in the 'gateway'
column (successful arp).
So it seems that the incomplete ARP signalling isn't making it to nmap or
getting used incorrectly ? Probably not articulating that very well :(
As a test - nmap -sP $some_remote_net works great. So scanning an offnet
/24 completes fast with no timeouts or errors. It seems like it's just an
sP of a local connected network that gets bogged down in the middle due to
incomplete ARP.
--
Brandon Applegate - CCIE 10273
PGP Key fingerprint:
7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996
"SH1-0151. This is the serial number, of our orbital gun."
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic