First of all, i have no idea if this question is okay here. I guess the only way to know is to try. I completely understand if this is the wrong place, its more of an Nmap related question but i don't know where else to ask. r/Nmap is too quiet. Here we go:
In a project for a company im working on (im a student, it's my internship) i'm using Nmap for host discovery on the current network and some more things. It will be used in a product that customers will be working with.
Nmap uses a library, NPCap, and it can also use WinPCap. I know NPCap has a silent installer, but since it needs a license, i thought to use WinPCap and ask the user to install that. It's just a few next buttons. Some users will probably still not want it though, so in that case i wanted to do as much as possible with Nmap without having NPCap or WinPCap installed.
There's a --unprivileged
command which makes Nmap run without either of these libs installed, but the behaviour is so strange, i can't even explain it.
When running Nmap WITH one of those libs using the command nmap -sn 192.168.20.1/24
i can see in wireshark that it does a normal arp ping scan, and it's done in a few seconds with good results. Just as expected, but when i run Nmap WITHOUT one of those libs using the command nmap -sn -unprivileged 192.168.20.1/24
in wireshark i can see an arp ping scan starting, but it just keeps going and keeps going. It takes up to 5 minutes to do the same thing as before, it pings every ip address multiple times, and then the results are completely off.
In my wireshark log of Nmap without libs i have about 1600 entries of ARP pings over a period of 221s, and with libs i have about 500 entries over a period of 15s.
I can't explain this behaviour one bit. A simple ARP ping scan should be doable without those libs right? Why does it suddenly take so long? And why are the results completely off? Why does it suddenly ping every ip address multiple times while it didn't do that before? Can someone help me understand this?
No comments:
Post a Comment