summaryrefslogtreecommitdiffstats
path: root/todo/nping.txt
diff options
context:
space:
mode:
Diffstat (limited to 'todo/nping.txt')
-rw-r--r--todo/nping.txt799
1 files changed, 799 insertions, 0 deletions
diff --git a/todo/nping.txt b/todo/nping.txt
new file mode 100644
index 0000000..c1130cf
--- /dev/null
+++ b/todo/nping.txt
@@ -0,0 +1,799 @@
+/*****************************************************************************
+ * *
+ * o *
+ * o *
+ * o *
+ * o o *
+ * o o *
+ * o o *
+ * o o o *
+ * o o o *
+ * 888b 888 o o o *
+ * 8888b 888 o o o *
+ * 888Y88 888 o o o *
+ * 888Y88b 888 o *
+ * 888 Y88b888 o *
+ * 888 Y88888 *
+ * 888 Y8888 *
+ * 888 Y888 *
+ * *
+ * --[NPING TO-DO LIST]-- *
+ * *
+ *****************************************************************************/
+
+ This file contains Nping's to-do list. Items are listed in order of priority
+ (high priority items are listed first). Feel free to work on any of the items
+ on the list. However, if you'd like to work on something that is not trivial
+ to implement you may want to send a message to the nmap-dev list before you
+ start so other developers can see what you are planning to do. Make sure you
+ explain exactly what you are trying to fix/implement and how you are planning
+ to do it. It's always better to discuss bugfixes and new feature additions in
+ advance because they may actually have bigger implications than you think and
+ you may not get your patch accepted.
+
+ Please keep in mind that contributed code must:
+ * Be written in C++.
+ * Include comments so anyone can understand immediately what it does.
+ * Work on Linux, Mac OS and MS Windows. It's OK if you have not tested
+ the code in all those platforms, but at least keep portability in mind when
+ you write it and include a list of systems you've tested it on along with
+ your patch.
+
+ Questions, comments and patches should be sent to the Nmap development
+ mailing list (nmap-dev). To suscribe:
+ <https://nmap.org/mailman/listinfo/dev>
+
+
+/*****************************************************************************
+ * Things that have NOT been done yet *
+ *****************************************************************************/
+
+* Improve IPv6 support. Currently it doesn't work well. The situation should be
+ analyzed in detail because right now Nping has code to send packets at raw
+ transport level (letting the OS craft the IPv6 header), and at raw ethernet
+ level. None of them seems to work well, though.
+
+* Investigate an IPv6-related core dump reported by Vasiliy Kulikov.
+ More info: http://seclists.org/nmap-dev/2011/q3/567
+
+* Consider using Nmap's proto-dependant payloads for UDP packets. According
+ to David's tests, better results are obtained when sending UDP probes with a
+ payload specific to the protocol.
+
+* Consider adding the possibility to see the RTT in the RECV line. Something
+ similar to the way the traditional ping tool prints the RTT (time=XXX ms)
+
+ $ ping nmap.org
+ PING nmap.org (173.255.243.189) 56(84) bytes of data.
+ 64 bytes from nmap.org (173.255.243.189): icmp_req=1 ttl=48 time=169 ms
+ 64 bytes from nmap.org (173.255.243.189): icmp_req=2 ttl=48 time=177 ms
+ 64 bytes from nmap.org (173.255.243.189): icmp_req=3 ttl=48 time=179 ms
+ ^C
+ --- nmap.org ping statistics ---
+ 3 packets transmitted, 3 received, 0% packet loss, time 2000ms
+ rtt min/avg/max/mdev = 169.097/175.137/179.152/4.347 ms
+
+
+ This was requested by Jacek Wielemborek. More info:
+ http://seclists.org/nmap-dev/2013/q3/533
+
+* Currently, Nping determines the maximum number of open descriptors
+ (in TCP connect and UDP unprivileged modes), from the value returned
+ by libnetutil::get_max_open_descriptors(). However, it is often the
+ case that such function returns a value higher than FD_SETSIZE, which
+ is the maximum number of descriptors that select(2) can handle.
+ Currently Nsock uses select(2) so we have to limit the number of
+ descriptor to FD_SETSIZE, and not to the value returned bu
+ get_max_open_descriptors(). However, Henri Doreau is working on a new
+ nsock-engines branch which will provide Nsock engines based on
+ better I/O syscalls like poll() and epoll(). I've asked Henri if he
+ could implement a function in Nsock that provides the maximum number
+ of descriptors that can be handled at the same time, based on the
+ nsock engine being used. So, if that function gets implemented and
+ his nsock-engines branch merged into trunk, we should consider
+ updating Nping's code to use it.
+ More info here:
+ http://seclists.org/nmap-dev/2011/q4/550
+
+* A few ideas for the Echo protocol:
+ - Add an authenticated NEP_BYE message, so session termination is explicit
+ and both ends can determine if the session was ended because the other end
+ requested it or if it was due to some error at the network or transport
+ layer. Suggested by David.
+
+ - Add examples for encryption and hmac to the RFC. This would help in
+ debugging implementations. Suggested by Toni Ruottu.
+
+ - RFC. Improve description of how the IVs work. Suggested by Toni Ruottu.
+
+ - RFC. Improve description of encryptionless sessions. Suggested by Toni
+ Ruottu.
+
+ - Currently, the echo server zeroes any application layer data before
+ transmission in a NEP_ECHO message. This minimizes the impact of
+ errors in the server's packet matching engine or malicious attacks that
+ attempt to trick the server into echoing packets that do not belong to
+ a particular user. This works well but in the future, if one day we
+ create a NEPv2 specification, we may want to consider extending NEP_ECHO
+ packets to allow stripped-packet transport. This is, to allow echo servers
+ to remove application layer data before transmission, and include
+ additional information in the NEP_ECHO message so clients can determine
+ that the payload part was stripped and how long was it.
+
+ - Consider making the echo server bind to all IPv4 AND IPv6 interfaces.
+
+ - Add a description of the security implications of running a public echo
+ server (failures in the packet matching algorithm, etc), to either the
+ RFC or the man page. Suggested by Toni Ruottu.
+
+ - Test the new --safe-payloads option with a packet fuzzer to make sure
+ the packet parser behaves correctly.
+
+* When running Nping echo client with the --no-capture parameter, the last
+ packet's CAPT line is not displayed.
+
+ nping --ec public echo.nmap.org -p90 --tcp --count 1 --no-capture
+
+ luis@Aberdeen:~$ sudo nping --ec public echo.nmap.org -p90-92 --tcp --count 1 --no-capture
+
+ Starting Nping 0.5.52.IPv6.Beta2 ( https://nmap.org/nping ) at 2011-07-05 12:53 CEST
+ SENT (7.3302s) TCP 163.117.203.253:18554 > 74.207.244.221:90 S ttl=64
+ CAPT (7.4625s) TCP 163.117.203.253:18554 > 74.207.244.221:90 S ttl=54
+ SENT (8.3309s) TCP 163.117.203.253:18554 > 74.207.244.221:91 S ttl=64
+ CAPT (8.4429s) TCP 163.117.203.253:18554 > 74.207.244.221:91 S ttl=54
+ SENT (9.3310s) TCP 163.117.203.253:18554 > 74.207.244.221:92 S ttl=64
+
+ Max rtt: N/A | Min rtt: N/A | Avg rtt: N/A
+ Raw packets sent: 3 (120B) | Rcvd: 0 (0B) | Lost: 3 (100.00%)| Echoed: 2 (80B)
+ Tx time: 2.00181s | Tx bytes/s: 59.95 | Tx pkts/s: 1.50
+ Rx time: 2.00193s | Rx bytes/s: 0.00 | Rx pkts/s: 0.00
+ Nping done: 1 IP address pinged in 9.33 seconds
+
+* Sometimes Nping displays a couple of error messages (related to cleanup of
+ Nsock events), even though everything went fine.
+
+ luis@Aberdeen:~$ sudo nping --ec public echo.nmap.org -p90 --tcp --count 1
+
+ Starting Nping 0.5.52.IPv6.Beta2 ( https://nmap.org/nping ) at 2011-07-05 12:51 CEST
+ SENT (1.8965s) TCP 163.117.203.253:64288 > 74.207.244.221:90 S ttl=64
+ CAPT (2.0293s) TCP 163.117.203.253:64288 > 74.207.244.221:90 S ttl=54
+ RCVD (2.1233s) TCP 74.207.244.221:90 > 163.117.203.253:64288 RA ttl=51
+ nping_event_handler(): READ-PCAP killed: Resource temporarily unavailable
+ nping_event_handler(): TIMER killed: Resource temporarily unavailable
+
+ Max rtt: 226.762ms | Min rtt: 226.762ms | Avg rtt: 226.762ms
+ Raw packets sent: 1 (40B) | Rcvd: 1 (40B) | Lost: 0 (0.00%)| Echoed: 1 (40B)
+ Tx time: 0.00136s | Tx bytes/s: 29411.76 | Tx pkts/s: 735.29
+ Rx time: 1.00082s | Rx bytes/s: 39.97 | Rx pkts/s: 1.00
+ Nping done: 1 IP address pinged in 2.93 seconds
+
+* Investigate about warning on old version of gcc like g++ 4.1.2 20080704
+ (Red Hat 4.1.2-48). No warnings are shown on newer version but it would be
+ nice to get rid of them if possible. There are some of them:
+
+ ARPHeader.h:169: warning: ‘class ARPHeader’ has virtual functions but
+ non-virtual destructor
+ RawData.h:99: warning: ‘class RawData’ has virtual functions but
+ non-virtual destructor
+
+* Decide more on rDNS
+ - Do we want to rDNS resolve all target IPs? If so, where should we
+ show the name? At the final report (even when just one host
+ scanned, which omits that line now)? In the individual packet
+ trace lines? When a CNAME (or a name which forward resolves but
+ does the IP doesn't reverse resolve) is specified on the command
+ line, should we use that version, or the official rDNS, if any?
+ - Some more discussion on this topic on nmap-dev may be warranted.
+
+* Improve output for negative verbosity levels. Currently, one can't
+ even tell how many hosts replied, just how many responses were
+ received, which could be all from the same host. If there is only
+ one target, then the current behavior is fine. However, when pinging
+ more targets, we should be able to provide a better output; at least
+ how many hosts were alive. This was suggested by Dan Farmer.
+
+* Consider adding more examples of setting fields/payloads to the man
+ page. This was suggested by Dan Farmer.
+
+* Consider adding support for XML output.
+
+* From: David Lam <david@thedavid.net>, "Some general questions about
+ Nping/Ncat"
+
+ In TCP traceroute mode, would it be possible to ask Nping to
+ stop once it gets an SYN-ACK response back from the destination host rather
+ than continuously hitting the host until the max TTL?
+
+* Make broadcast ping work. Currently the following command does not
+ show any captured packets:
+ nping 192.168.0.255 --dest-mac ff:ff:ff:ff:ff:ff -c 1
+ The cause is probably the BPF filter, which only allows replies from
+ 192.168.0.255.
+ Also, look into official multicast addresses like 224.0.0.1. Can we
+ received replies to that probe?
+
+
+* Do some performance testing.
+ Fyodor:
+ <<Nping should be able to send packets quickly, at least comparable to
+ "ping -f" and hping. If it can't send as many packets per second as those,
+ then it warrants looking into whym figuring out what the bottlenecks are.
+ It would be good to compare nping with other tools such as hping in
+ terms of how high the values of packets per second can get and still
+ work reliably.>>
+
+* Stats for ARP packets.
+
+* Do more testing on Mac
+
+* Support pre defined probe rates: --fast, --faster, --flood, --slow,
+ --slower, --paranoid...
+
+* Think about --establish feature, which uses raw packets to establish
+ a connection and can then send data on the connected stream (Luis
+ already has a proof-of-concept implementation).
+
+* Make privileged and unprivileged TCP/UDP mode specification consistent.
+
+> - User is unprivileged and did not supply mode: --> Use TCP-Connect
+> - User is unprivileged and supplied --tcp --> Use TCP-Connect
+> - User is unprivileged and supplied --upd --> User UDP unprivileged
+> - User is root and did not supply mode --> Use ICMP Echo
+> - User is root and supplied --tcp --> Use raw sockets TCP
+> - User is root and supplied --udp --> User raw sockets UDP
+> - User is root and wants to use TCP-Connect --> User needs to either
+> pass --tcp-connect or --unprivileged
+> - User is root and want unprivileged UDP --> User needs to pass
+> --unprivileged or --udp-XXXXX (any suggestions?. --udp-sendto() may not
+> be the best idea because when we use raw sockets we also use sendto() to
+> transmit the data).
+
+* Support reverse DNS resolution in --traceroute
+
+* Implement TCP options
+
+* Implement hping-like ability to change the port/ttl using the keyboard
+ during a scan.
+
+* Disable ARP resolution when --source-mac is specified.
+
+* Implement --data-file option. What should we do if file is big? Read the
+ first X bytes? Send consecutive chunks?
+
+* Implement ICMP address mask
+
+* Implement entire ICMP Traceroute message opts.
+
+* Research on default IP Identification value. Kernel does not seem to like
+ value 0 because when set to zero, kernel changes it to some other value. When
+ we set it to something !=0, the kernel leaves our value untouched.
+
+* At some point in the future, implement weird ICMP Types. I think this would
+ let us make a difference to the rest of pings and packet creation tools
+ because anyone wanting to send weirds packes would have to download our
+ Nping ;-)
+ ( http://www.iana.org/assignments/icmp-parameters )
+ 6 Alternate Host Address [JBP]
+ 31 Datagram Conversion Error [RFC1475]
+ 32 Mobile Host Redirect [David Johnson]
+ 33 IPv6 Where-Are-You [Bill Simpson]
+ 34 IPv6 I-Am-Here [Bill Simpson]
+ 35 Mobile Registration Request [Bill Simpson]
+ 36 Mobile Registration Reply [Bill Simpson]
+ 39 SKIP [Markson]
+ 40 Photuris [RFC2521]
+
+* Implement checks in function that handles received packets:
+ Fyodor:
+ <<You can't assume that the filter always works right, so you do need to
+ validate the information anyway. For example, on windows in some cases
+ we have to change the filter to "" because it doesn't work otherwise
+ so, in actuality, I often end up with rather broad pcap filters and then
+ do the checking by hand, but tightening the pcap filter can improve
+ performance a bit.>>
+
+* Implement "-iL inputfilename (Input from list) " and the case where "-" is
+ supplied and target specs need to be read from stdin.
+
+* Consider adding option to allow sending NO packets but act as a
+ simple sniffer. Users could use --bpf-filter to specify a
+ tcpdump-like filter and get every receive packet printed to
+ stdout. Maybe with "-c 0"? "-c none"? We need to have some flag in
+ NpingOps so we don't terminate Nping but wait undefinitely.
+
+* At some point we should support nmap-like MAC specification.
+
+* When implementing IPv6, check MAX_TCP_PAYLOAD_LEN constant and method
+ TCPHeader::setSum(). Because with IPv6 the max payload length should be 20
+ bytes less than with the IPv4 header.
+
+* When using payloads, take into account that the IP and TCP headers may
+ contain options and therefore, the maximum payload len should be
+ 65535 - 20(ip header) - 40 (ip options) -20(tcp header) -20(tcp options);
+
+* Make sure randomnly generated checksums in IPv6-TCP/UDP are in fact invalid
+ and don't match the correct checksum.
+
+* Fyodor:
+ <<in some cases it might be nice to have an option which sends all
+ probes (all ports to all hosts) at the same time.>>
+
+* ARP mode does not support payload specification. However, users may
+ want to do things like appending null bytes at the end of an ARP
+ packet to test some device behaviour, etc. Adding support for
+ payload to this mode is really trivial, would make the payload spec
+ more consistent with the rest of the modes, and may be a nice to have
+ feature.
+
+* [EM] For CAPT packets, decide if we want to print the full info or
+ just the fields that have changed in transit (or both). Note that
+ printing differences would be complicated by the fact that nping
+ doesn't currently associate captured packets with the original send.
+
+* Decide if we want to allow things like "1074628148" or "0x400d8634" to
+ be treated as valid IP addresses.
+
+* Check out if --ip-options "RTUS 1.1.1.1 2.2.2.2" makes sense. It now
+ fails.
+
+* It may be nice to let users set the IP header lenght field. Maybe they
+ want to stress tcp/stacks with this.
+
+* Investigate on ICMP preference levels. It's not clear whether there is
+ a standard encoding or not. The logic that parses this in Nping needs
+ to be reviewed.
+
+* Split up libnetutil.cc into different source files.
+
+* Investigate on nping's version of devname2ipaddr. Think about side
+ effects on using that in Nmap.
+
+* Consider adding multi-packet support.
+ o Example: tell nping to send 4 tcp packets, 5 icmp packets and 3 udp packets
+
+* Consider adding RFC-style output for send/recv packets.
+
+* Consider adding more detailed stats for the Echo Mode.
+
+* [EM] Handle DLT types. Currently the server always sets the null DLT value
+ that indicates that no data link header is included.
+
+/*****************************************************************************
+ * Things that have been solved already *
+ *****************************************************************************/
+
+[DONE] Add default target port for TCP-Connect and TCP modes :: Port 80
+
+[DONE] Add default target port for UDP mode :: Port 40125
+
+[DONE] Add default UDP Source port: 53
+ JUSTIFICATION: From David's EffectivenessOfPingProbes
+ http://www.bamsoftware.com/wiki/Nmap/EffectivenessOfPingProbes
+ "The best individual UDP probes are still those to a random high port,
+ with a source port of 53 and a non-empty payload. Even without the source
+ port and payload, the ports 40125 and 40126 that I picked out of the air
+ are better choices than the current default of 31338, finding around 400
+ additional hosts."
+
+[DONE] Change resolution for the inter-ping delay. (Fyodor: btw, usleep() will
+ probably do the trick for you as it let's you sleep with microsecond
+ precision)
+
+[DONE] Use int send_ip_packet(int sd, struct eth_nfo *eth, u8 *packet, unsigned int
+ packetlen) instead of ip_open();
+
+[DONE] Add protocol to BPF filterstring because It is possible that when in TCP mode
+ a UDP packet destined to the TCP source, arrives to the net iface and gets
+ printed.
+
+[DONE] Implement multiple port specification.
+
+[DONE] Implement ICMP router advertisement entries
+
+[DONE] Default probe mode: ICMP echo
+
+[DONE] Test ICMPv4Header::addRouterAdEntry() and check entries are being added
+ correctly.
+
+[DONE] Determine source IP address automatically
+
+[DONE] Determine network interface to be used for packet capture automatically
+
+[DONE] Add support for cached DNS requests
+
+[DONE] Start user documentation (mainly man page)
+
+[DONE] Change output to include timing information
+
+[DONE] Implement controls in payload options parsing to prevent specifying lengths
+ that cannot be carried by a single TCP/UDP packet.
+
+[DONE] Start implementing unprivileged UDP pings.
+
+[DONE] When sending ICMP packets, checksum is not being computed correcly if
+ --data-length, and options like that, are specified.
+
+[DONE] Find a bug that under some circumstances produces a segfault. It is probably
+ related to the way option -e is being handled.
+
+[DONE] Fix a bug in option "-e iface" that results on IP 2.0.0.0 being used as a
+ source address.
+
+[DONE] Update --help display to include new ICMP flags. Check also commandline syntax
+ docs.
+
+[DONE] Use nsock approach instead of threads.
+
+[DONE] Finish ARP/RARP support.
+
+[DONE] Change doc for option --count. We don't stop after N probes, we stop after
+ N rounds.
+
+[DONE] Ask Fyodor what tool is used to convert from nmap-man.xml to nmap.1
+
+[DONE] Check all outPrint()s and outError()s to ensure they specify the correct
+ verbosity/debug level.
+
+[DONE] Document format specified in ArgParser::atoICMPType().
+
+[DONE] Document format specified in ArgParser::atoICMPCode().
+
+[DONE] Finish implementing unprivileged UDP pings.
+
+[DONE] Finish Ethernet frame creation.
+
+[DONE] Find a way to convert the nping.xml into man page.
+
+[DONE] Check what happens if payload is specified and we are not sending TCP/UDP
+ but ICMP or other proto packets. [Sometimes it may not make sense to include
+ payloads (e.g. ARP) but we still allow it just in case users want to play
+ around].
+
+[DONE] Ask Fyodor whether we want to display elapsed time (like nmap) or we prefer to
+ display rtt time as other ping utilities do. [This is probably fine for now]
+
+[DONE] Fix the warnings produced by Fyodor's gcc.
+ +---------------+
+ NpingTargets.cc: In member function ‘int NpingTargets::processSpecs()’:
+ NpingTargets.cc:315: warning: comparison between signed and unsigned integer expressions
+ NpingTargets.cc: In member function ‘NpingTarget* NpingTargets::getNextTarget()’:
+ NpingTargets.cc:333: warning: comparison between signed and unsigned integer expressions
+ +---------------+
+ In file included from /usr/include/string.h:640,
+ from nbase/nbase.h:158,
+ from nping.h:107,
+ from utils.cc:95:
+ In function ‘void* memset(void*, int, size_t)’,
+ inlined from ‘int getNetworkInterfaceName(sockaddr_storage*, char*)’ at utils.cc:689:
+ /usr/include/bits/string3.h:85: warning: call to void* __builtin___memset_chk(void*, int, long unsigned int, long unsigned int) will always overflow destination buffer
+ +---------------+
+
+
+[DONE] Redesign verbosity levels:
+ * Put verbosity levels 2 into level 1
+ * Use level 2 for error.
+ * Use level 3 to print everything but not sent/rcv packets.
+ * Level 4 the usual
+
+[DONE] Add stats at the end of nping execution.
+
+[DONE] Add options to disable viewing of sent packets.
+
+[DONE] Add option to to disable packet capture.
+
+[DONE] Add a section to the man page explaining how we iterate over targets,
+ ports, etc.
+
+[DONE] Beta-testing email to the list.
+
+[DONE] Change default round count to 5.
+
+[DONE] Fix a segfault detected by Fyodor in trg=o.targets.findTarget(...).
+
+[DONE] Send an email to the list telling about the nping.exe file.
+
+[DONE] Support CTRL-C statistics.
+
+[DONE] Change "solution" file in mswin32/nmap.sln to nping.sln
+
+[DONE] In man page and -h: move Ethernet section so it appears after network
+ layer info.
+
+[DONE] Make rx time more accurate taking into account that we wait for a bit after
+ the last probe is sent.
+
+[DONE] Fix bug: add ICMP dest unreachable, etc to the BPF filter so we can get
+ icmp error messages when TTLs expire, etc.
+
+[DONE] Disable all ethernet related code when sendEth is false.
+
+[DONE] Finish porting Nping to Windows.
+
+[DONE] Find an OS X box to test Nping.
+
+[DONE] Reorganize verbosity levels (again ;-) [-3, +3].
+
+[DONE] Finish documentation for options --source-mac and --dest-mac
+
+[DONE] Make sure --ether-type supports specifying types in hex.
+
+[DONE] Implement verbosity level 3: in this level, sent and recv packets are
+ hexdumped to stdout.
+
+[DONE] Write and check in nping/index.html web site
+ - Include SVN checkout/install instructions
+ - include tarballs when available
+
+[DONE] Create Windows installer (maybe can copy a lot of stuff from what
+ Ithilgore has done with Ncrack)
+
+[DONE] Create Nping release tarball for UNIX systems
+
+[DONE] Release Nping 0.1BETA2
+
+[DONE] Man page should say Nping is currently in Alpha stage.
+
+[DONE] Support -vvv, -qqq and -ddd syntax. [Requested by Dirk Loss]
+
+[DONE] Create Mac OS X installer (also can probably copy a lot of stuff
+ from what Ithilgore has done with Ncrack. David can usually help
+ with installer building).
+
+[DONE] Move nping to /nping in SVN rather than being in nmap-exp
+
+[DONE] Set up automatic conversion from nping XML man page to HTML for
+ https://nmap.org/nping/man.html [Fyodor working on this]
+
+[DONE] Include signature files in new releases. [Requested by Henri Salo]
+[DONE] It would be nice to have Bzip2 packages. [Requested by Henri Salo]
+ (These last two don't make sense anymore as Nping is now distributed
+ with Nmap).
+
+[DONE] Do small fix in nmap's send_ip_packet_sd()
+ - res = Sendto("send_ip_packet", sd, packet, packetlen, 0,
+ + res = Sendto("send_ip_packet_sd", sd, packet, packetlen, 0,
+
+[DONE] Correct BPF filter specs, to make the condition about the source
+ address apply everywhere.
+
+[DONE] Fix possible bug in BPF filter specification. More details in
+ http://seclists.org/nmap-dev/2010/q2/252
+
+[DONE] Work on nping&nmap code merge.
+
+[DONE] For options that take numbers we need to allow users to specify them
+ also in hex with the format 0xNNNN...
+
+[DONE] Replace this pattern:
+ if ( isNumber_u32(optarg) ){
+ u32 aux32 = strtoul( optarg, NULL, 10);
+ ...
+ }
+ with a function that checks for syntax and returns the value (i.e., a wrapper
+ around strtoul). There is nowhere that isNumber_u* is called without it being
+ immediately followed by a strtoul, outside of utils.cc.
+
+[DONE] Bug in --icmp-advert-entry. Specified IPs are being set in host byte
+ order instead if in network byte order.
+
+[DONE] Investigate why ARP replies are not being received. Wireshark shows
+ replies but they don't get captured by Nping. The bpf filter looks
+ ok: "arp and arp[6]==0x00 and arp[7]==0x02"
+
+[DONE] Investigate into this:
+ sudo nping --icmp scanme.nmap.org -vvv -d1 --icmp-type ra --icmp-advert-entry 256.257.258.259,222
+ Invalid Router Advertising Entry specification: Unable to resolve 6628128
+ Apparently the call to outFatal() is specifying %d instead of %s, but
+ that's not being detected properly by the compiler, because we don't
+ get a warning. We have to do something like this:
+ void fatal(const char *fmt, ...)
+ __attribute__ ((noreturn))
+ __attribute__ ((format (printf, 1, 2)));
+ TODO: Look at the documentation to see what the numbers mean.
+ Probably one of the is the index of the format argument, and the
+ other is where the varargs start.
+
+[DONE] Fix division by zero exception:
+ sudo nping --icmp scanme.nmap.org -vvv -d1 --icmp-type echo --rate 0
+ ./test_nping.sh: line 83: 11690 Floating point exception"$@"
+
+[DONE] Fix little problem in TIMING_5. We need to detect the bogus time
+ before we actually pass the value to NpingOps. Nping is giving an
+ error but the bogus input is getting to far.
+
+[DONE] Document that badsum-ip may not always work because the kernel may
+ correct the sum.
+
+[DONE] Change overloaded functions in libnetutil that were refactored to
+ make them compile in C. Go back to the overloaded version if possible.
+
+[DONE] Move grab_next_host_spec() and pals to netutil.
+
+[DONE] Control the case when user passes "--mtu 0". An assertion fails but
+ Nping should print a nicer message.
+
+[DONE] Improve error message for --mtu. We should probably allow mtu's bigger
+ than 2^16 but take that as a "dont fragment" request. Also, make
+ "rand" produce only valid MTUs (multiple of 8, etc).
+
+[DONE] When passing "--tcp-flags 0x100" the error is not very accurate.
+ This is because parser_u8() fails and then Nping tries to resolve the
+ value letter by letter. Maybe we can parse_u32() it, and then check
+ if n<255 and print a better error message.
+
+[DONE] Document what happens with the IP header length when user wants to
+ add uneven bytes of IP options. We are truncating the result, because
+ the header length is expressed in 32 bit words.
+
+[DONE] Check if there is any problem with -e "". Maybe we shouldn't let users
+ supply a NULL name, but make them use the "any" specifier. Add doc
+ about this and update the test description (MISC_12).
+
+[DONE] Update documentation for option --delay, including that now, time
+ specification as float numbers is supported (eg: --delay 0.1 meaning 100ms)
+
+[DONE] Change info about TODO file in https://nmap.org/nping web page.
+ - If you wish to contribute code to Nping there is a TO-DO list you can have
+ - a look at (file "TODO" in the source package).
+ + If you wish to contribute code to Nping there is a TO-DO list you can have
+ + a look at (file "todo/nping.txt" in nmap's source package).
+
+[DONE] Make sure randomnly generated checksums are in fact invalid and don't match
+ the correct checksum. There is a 1/65535 chance of this happening.
+
+[DONE] After merging nmap-dedup, change send_frag_ip_packet() to take "u32 mtu"
+ and fix the printf below to use "%u" instead of "%i".
+
+[DONE] [EM] Update EchoProtoRFC.txt and any of the other design files as
+ appropriate and send to nmap-dev for comments
+
+[DONE] [EM] Pick a default port number
+
+[DONE] [EM] Make a mockup of the desired standard output in a regular echo mode
+ execution, like nping -c 2 --tcp --flags SYN -p 80 scanme.nmap.org (let's
+ assume there are some differences found, like a NAT is in place)
+ o A key aspect of this task is determining what diffs are going
+ to look like.
+
+[DONE] [EM] Things to decide on:
+ o Decide on packet specifiers that can be passed to the server so it
+ can recognize packets sent by the client even if a number of headers
+ have changed and pass them back. (see Fyodor/Luis IM discussion logs
+ from 6/28/10).
+
+[DONE] [EM] Improve client error handling. Currently it doesn't behave well when
+ the server crashes.
+
+[DONE] [EM] Make the client timeout if the server does not send data during
+ handshake. Currently the client waits forever.
+
+[DONE] [EM] Make the server detect when a client disconnects and delete its context
+ data.
+
+[DONE] [EM] Get rid of some messages that are currently displayed in the client.
+ Print them only if debugging level is high enough.
+
+[DONE] [EM] Make sure -h help screen includes info about the echo mode.
+
+[DONE] [EM] Add echo mode to the man page.
+
+[DONE] [EM] Add received echoed packet to the final statistics.
+
+[DONE] [EM] Multi-client support
+
+[DONE] [EM] Delay RECV message printing so the CAPT messages are shown in order.
+
+[DONE] [EM] Use NEP_QUIT only if necessary, just close connection if possible.
+
+[DONE] [EM] Implement crypto
+
+[DONE] [EM] Consider whether the CAPT line should (or should have an
+ option to) display the time based on capture time from the server.
+ Obviously this can be problematic because not all machines run
+ ntpd. One option is to just make it an option so that people should
+ only use it if both the client and server are running ntpd. Luis is
+ adding a precision timestamp to NEP_ECHO packets so we could easily
+ add it in the future. Another approach would be to do NTP-style
+ handshaking to compute time offsets between the two machines during
+ the echo side-channel handshaking. Then the client could remember
+ how far off it is. A third approach is to guess about the CAPT time
+ that it was 1/2 the time between packet send and when we received
+ the NEP_ECHO back notifying us of receipt.
+ NOTE: We finally decided to take the third approach. CAPT_time=RTT/2.
+
+[DONE] [EM] Consider whether we should delay RCVD packet printing
+ slightly so that CAPT packets received just slightly afterward could
+ be printed before the RCVD. This might make the most sense if we do
+ the previous feature where we show the time that a packet was
+ actually captured by echo server. If we did it in normal cases, it
+ might make it easier to compare SENT and CAPT packets, but would
+ also be a bit strange to see the timeline out-of-order.
+
+[DONE] Fix Windows rtt values. Right now Nsock does not seem to be giving
+ the callback at the proper time, or something.
+
+[DONE] Add --no-crypto to -h output.
+
+[DONE] Make sure nping does not allow generating packets with tcp src port or
+ tcp dst port 9929 (or --echo-port N, if that is set), because 1) the
+ echo server does not capture those packets and 2) to avoid messing up the
+ established side-channel tcp connection.
+
+[DONE] Add support for custom IP binding: if user supplies -S then
+ the echo side-channel connection and connections in TCP-Connect mode should be
+ established from that IP. This includes the echo server binding to that IP.
+
+[DONE] Make nping issue a warning when user supplies a payload in TCP-Connect
+ mode.
+
+[DONE] [EM] Echo server should print which interface is using to capture packets.
+
+[DONE] In some cases, when using nping through a VPN connection, nsi_pcap_linktype()
+ returns something different to DLT_EN10MB, and Nping fatals. Investigate
+ why this happens to nping and is not a problem for Nmap. Also, determine
+ why this doesn't happen all the time. What does it change between these
+ two?: sudo nping --udp 1.1.1.1 -g 999 -p998
+ sudo nping --udp 1.1.1.1 -g 999 -p999
+ The first one works, and the other one fatals with the "Currently only
+ Ethernet is supported." (error message @ nping.cc:1717).
+ - Note this also happens when Fyodor uses Nping tethering through
+ his cell phone (ppp0)
+
+[DONE] [EM] Make the server stop capturing packets when all connected clients
+ finish their session.
+
+[DONE] [EM] Some things to keep in mind for the implementation and to update
+ our design docs accordingly:
+ o Implement different "modes" for the server: complete access,
+ one-time-access, and restricted.
+
+[DONE] Do more testing on MS Windows.
+
+[DONE] [EM] Investigate why the echo server does not send NEP_ECHO messages when the
+ client sends probes at a very high rate, like in :
+ ./nping -c 1000 --rate 1000 --echo-client "pass" --icmp -v echo.nmap.org
+
+[DONE] [EM] Add echo mode to the man page
+
+
+[DONE] [EM] Do some extensive testing of the Echo mode once it is working
+ to try and flesh out any bugs before merging.
+
+[DONE] Make Nping call nsi_delete() on pcap IODs, IODs in TCP-Connect mode and maybe
+ in IODs of other modes. See http://seclists.org/nmap-dev/2010/q3/587
+
+[DONE] Fix bug that causes Nping to fail when sending UDP packets to a broadcast
+ address. More info: <http://seclists.org/nmap-dev/2010/q3/752>
+
+[DONE] When doing ICMP echo traceroute (with --traceroute), unless the user
+ supplies a custom round count (-c/--count), Nping only sends 5 packets
+ (default round count). This is usually not enough to reach hosts
+ on the internet. What should be the default behaviour? Stick with the
+ default round count of 5 or increment it when --traceroute is set?
+ - We should probably set -c 32 when --traceroute is specified,
+ unless user specifies their own -c explicitly.
+
+[DONE] Try to reduce the size of the internal buffer in the EchoHeader class.
+ Currenltly it allocates a big buffer that is able to hold the theoretical
+ maximum size of a NEP message (normal use does not require so much space).
+ When this is done, check if we still need to increase the stack size
+ in the project properties in Visual Studio.
+
+[DONE] [Fixed by Vasiliy Kulikov] When running Nping in ARP mode, hexdump of
+ ARP replies is not shown with -vvv, only for requests. Here's the output:
+
+sudo nping --arp 192.168.240.139 -vvv -d1
+
+Starting Nping 0.5.59BETA1 ( https://nmap.org/nping ) at 2011-07-11 12:32 CEST
+BPF-filter: arp and arp[6]==0x00 and arp[7]==0x02
+SENT (0.0562s) ARP who has 192.168.240.139? Tell 192.168.240.1
+0000 ff ff ff ff ff ff 00 50 56 c0 00 01 08 06 00 01 .......PV.......
+0010 08 00 06 04 00 01 00 50 56 c0 00 01 c0 a8 f0 01 .......PV.......
+0020 00 00 00 00 00 00 c0 a8 f0 8b ..........
+RCVD (0.0568s) ARP reply 192.168.240.139 is at 00:0C:29:E4:90:CD
+SENT (1.0580s) ARP who has 192.168.240.139? Tell 192.168.240.1
+0000 ff ff ff ff ff ff 00 50 56 c0 00 01 08 06 00 01 .......PV.......
+0010 08 00 06 04 00 01 00 50 56 c0 00 01 c0 a8 f0 01 .......PV.......
+0020 00 00 00 00 00 00 c0 a8 f0 8b ..........
+
+