It already does to some degree

Posted Feb 16, 2006 7:55 UTC (Thu) by fyodor (guest, #3481)
In reply to: 4.01 is Now Available by Ross
Parent article: A look at nmap 4.0

Nmap already does look at various aspects of ICMP port unreachable replies. These tests can be seen in the "PU" fingerprint test line. Here is an example, from the Linux 2.4.7 fingerprint:

PU(DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)

This means that in the ICMP response, the don't fragment bit was not set, the ToS byte is 0xC0, the total length (tells you how much of the original packet was echoed) is 164, the TTL is 148, the ID and IP checksum of the initial packet were returned uncorrupted, the UDP length field in the echod header was 134, and the data from that UDP packet was returned uncorrupted (but possibly truncated). More details can be found in my OS fingerprinting article.

But maybe we could glean even more information from these ICMP packets. Our current proposed new system is here, and I welcome ideas for new tests to add.

-Fyodor