New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[nmap] WARNING: eth_send of ARP packet returned -1 rather than expected 42 #1423

Closed
NBaH2 opened this Issue Jan 1, 2019 · 14 comments

Comments

Projects
None yet
10 participants
@NBaH2
Copy link

NBaH2 commented Jan 1, 2019

hi,

i'm using ArchLinux with kernel 4.20.0, and I get this warning when I scan LAN:

# nmap -sn -PR -oG - 192.168.1.1
# Nmap 7.70 scan initiated Tue Jan  1 17:30:58 2019 as: nmap -sn -PR -oG - 192.168.1.1
WARNING: eth_send of ARP packet returned -1 rather than expected 42 (errno=22: Invalid argument)
WARNING: eth_send of ARP packet returned -1 rather than expected 42 (errno=22: Invalid argument)
# Nmap done at Tue Jan  1 17:30:58 2019 -- 1 IP address (0 hosts up) scanned in 0.49 seconds

there are some other descriptions here

@hifi25nl

This comment has been minimized.

Copy link

hifi25nl commented Jan 2, 2019

Same problem also on aarch64 and armv7h

@frostworx

This comment has been minimized.

Copy link

frostworx commented Jan 2, 2019

same here on several linux-4.20.0 arch machines. but as nmap works fine with linux-4.19.x this might be a kernel upstream (or arch patch) bug.

@sogasawara

This comment has been minimized.

Copy link

sogasawara commented Jan 3, 2019

I'm having the same issue with CentOS, Ubuntu, and Arch linux distro's.

Anything running 4.20.0 is reporting this issue while scanning.

Linux XXXXXX 4.20.0-1.el7.elrepo.x86_64 #1 SMP Sun Dec 23 20:11:51 EST 2018 x86_64 x86_64 x86_64 GNU/Linux

Linux XXXXXXX 4.20.0-042000-generic #201812232030 SMP Mon Dec 24 01:32:58 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Linux XXXXXXX 4.20.0-arch1-1-ARCH #1 SMP PREEMPT Mon Dec 24 03:00:40 UTC 2018 x86_64 GNU/Linux
@breiting

This comment has been minimized.

Copy link

breiting commented Jan 4, 2019

The same on my machine with the following command sudo nmap -sn 192.168.0.0/24, Arch with kernel 4.20.0-arch1-1-ARCH

@macstibs

This comment has been minimized.

Copy link

macstibs commented Jan 7, 2019

Ubuntu 18.04 with 4.20.0 kernel - same error running nmap on any target
Can also confirm reverting to 4.19.13 allows nmap to run without incident.

Platform: x86_64-pc-linux-gnu
Compiled with: liblua-5.3.3 openssl-1.1.0g nmap-libssh2-1.8.0 libz-1.2.8 libpcre-8.39 libpcap-1.8.1 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

@dmiller-nmap

This comment has been minimized.

Copy link

dmiller-nmap commented Jan 9, 2019

Thanks everyone for reporting this. I'm currently diffing kernel sources to see what might have changed, but I need to know more about what Nmap's state is at the time that the problem occurs. If someone could provide output from the following command it would be very helpful (one target only, please, to limit output. Not the whole LAN!):

sudo strace -e trace=sendto -- nmap -n -sn 192.168.1.1 -d4
@frostworx

This comment has been minimized.

Copy link

frostworx commented Jan 10, 2019

thank you for looking into this!
tried to find something useful too using strace and kernel diffs but haven't found anything useful :)
here's your output:

`# strace -e trace=sendto -- nmap -n -sn 192.168.2.4 -d4
Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-10 05:10 CET
Fetchfile found /usr/bin/../share/nmap/nmap.xsl
The max # of sockets we are using is: 0
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
Fetchfile found /usr/bin/../share/nmap/nmap-payloads
Initiating ARP Ping Scan at 05:10
Scanning 192.168.2.4 [1 port]
Packet capture filter (device enp0s31f6): arp and arp[18:4] = 0xB06EBFCE and arp[22:2] = 0x6355
sendto(4, "\377\377\377\377\377\377\260n\277\316cU\10\6\0\1\10\0\6\4\0\1\260n\277\316cU\300\250\2\2"..., 42, 0, {sa_family=AF_PACKET, sll_protocol=htons(ETH_P_ARP), sll_ifindex=if_nametoindex("enp0s31f6"), sll_hatype=ARPHRD_NETROM, sll_pkttype=PACKET_HOST, sll_halen=0}, 20) = -1 EINVAL (Das Argument ist ungültig)
WARNING: eth_send of ARP packet returned -1 rather than expected 42 (errno=22: Invalid argument)
SENT (0.0606s) ARP who-has 192.168.2.4 tell 192.168.2.2
TIMING STATS (0.0658s): IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, cwnd/ssthresh/delay, timeout/srtt/rttvar/
Groupstats (1/1 incomplete): 1/////* 10.00/75/* 200000/-1/-1
192.168.2.4: 1/0/0/1/0/0 10.00/75/0 200000/-1/-1
Current sending rates: 19.74 packets / s, 829.15 bytes / s.
Overall sending rates: 19.74 packets / s, 829.15 bytes / s.
sendto(4, "\377\377\377\377\377\377\260n\277\316cU\10\6\0\1\10\0\6\4\0\1\260n\277\316cU\300\250\2\2"..., 42, 0, {sa_family=AF_PACKET, sll_protocol=htons(ETH_P_ARP), sll_ifindex=if_nametoindex("enp0s31f6"), sll_hatype=ARPHRD_NETROM, sll_pkttype=PACKET_HOST, sll_halen=0}, 20) = -1 EINVAL (Das Argument ist ungültig)
WARNING: eth_send of ARP packet returned -1 rather than expected 42 (errno=22: Invalid argument)
SENT (0.2614s) ARP who-has 192.168.2.4 tell 192.168.2.2
TIMING STATS (0.2619s): IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, cwnd/ssthresh/delay, timeout/srtt/rttvar/
Groupstats (1/1 incomplete): 1/////* 10.00/75/* 200000/-1/-1
192.168.2.4: 1/0/0/2/0/0 10.00/75/0 200000/-1/-1
Current sending rates: 8.10 packets / s, 340.40 bytes / s.
Overall sending rates: 8.10 packets / s, 340.40 bytes / s.
TIMING STATS (0.4625s): IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, cwnd/ssthresh/delay, timeout/srtt/rttvar/
Groupstats (1/1 incomplete): 0/////* 10.00/75/* 200000/-1/-1
192.168.2.4: 0/0/0/2/1/0 10.00/75/0 200000/-1/-1
Current sending rates: 4.47 packets / s, 187.75 bytes / s.
Overall sending rates: 4.47 packets / s, 187.75 bytes / s.
ultrascan_host_probe_update called for machine 192.168.2.4 state UNKNOWN -> HOST_DOWN (trynum 1 time: 203551)
Moving 192.168.2.4 to completed hosts list with 1 outstanding probe.

  • ARP
    Completed ARP Ping Scan at 05:10, 0.45s elapsed (1 total hosts)
    Overall sending rates: 4.44 packets / s, 186.63 bytes / s.
    pcap stats: 0 packets received by filter, 0 dropped by kernel.
    Nmap scan report for 192.168.2.4 [host down, received no-response]
    Read from /usr/bin/../share/nmap: nmap-payloads.
    Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
    Nmap done: 1 IP address (0 hosts up) scanned in 0.52 seconds
    Raw packets sent: 2 (56B) | Rcvd: 0 (0B)
    +++ exited with 0 +++`
@Cave-Johnson

This comment has been minimized.

Copy link

Cave-Johnson commented Jan 10, 2019

Same here on Ubuntu 18.04 using kernel 4.20.0-042000-generic #201812232030

Output for the strace:

sudo strace -e trace=sendto -- nmap -n -sn 192.168.1.1 -d4
Starting Nmap 7.70SVN ( https://nmap.org ) at 2019-01-10 10:22 GMT
Fetchfile found /usr/local/bin/../share/nmap/nmap.xsl
The max # of sockets we are using is: 0
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
Fetchfile found /usr/local/bin/../share/nmap/nmap-payloads
Initiating ARP Ping Scan at 10:22
Scanning 192.168.1.1 [1 port]
Packet capture filter (device eth0): arp and arp[18:4] = 0x28F10E16 and arp[22:2] = 0xEAD6
Ultrascan timeout init for 192.168.1.1 at 1547115735.405084
sendto(4, "\377\377\377\377\377\377(\361\16\26\352\326\10\6\0\1\10\0\6\4\0\1(\361\16\26\352\326\300\250\1\25"..., 42, 0, {sa_family=AF_PACKET, sll_protocol=htons(ETH_P_ARP), sll_ifindex=if_nametoindex("eth0"), sll_hatype=ARPHRD_NETROM, sll_pkttype=PACKET_HOST, sll_halen=0}, 20) = -1 EINVAL (Invalid argument)
WARNING: eth_send of ARP packet returned -1 rather than expected 42 (errno=22: Invalid argument)
SENT (0.0548s) ARP who-has 192.168.1.1 tell 192.168.1.21
**TIMING STATS** (0.0551s): IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, cwnd/ssthresh/delay, timeout/srtt/rttvar/
   Groupstats (1/1 incomplete): 1/*/*/*/*/* 10.00/75/* 200000/-1/-1
   192.168.1.1: 1/0/0/1/0/0 10.00/75/0 200000/-1/-1
Current sending rates: 19.61 packets / s, 823.51 bytes / s.
Overall sending rates: 19.61 packets / s, 823.51 bytes / s.
sendto(4, "\377\377\377\377\377\377(\361\16\26\352\326\10\6\0\1\10\0\6\4\0\1(\361\16\26\352\326\300\250\1\25"..., 42, 0, {sa_family=AF_PACKET, sll_protocol=htons(ETH_P_ARP), sll_ifindex=if_nametoindex("eth0"), sll_hatype=ARPHRD_NETROM, sll_pkttype=PACKET_HOST, sll_halen=0}, 20) = -1 EINVAL (Invalid argument)
WARNING: eth_send of ARP packet returned -1 rather than expected 42 (errno=22: Invalid argument)
SENT (0.2554s) ARP who-has 192.168.1.1 tell 192.168.1.21
**TIMING STATS** (0.2557s): IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, cwnd/ssthresh/delay, timeout/srtt/rttvar/
   Groupstats (1/1 incomplete): 1/*/*/*/*/* 10.00/75/* 200000/-1/-1
   192.168.1.1: 1/0/0/2/0/0 10.00/75/0 200000/-1/-1
Current sending rates: 7.95 packets / s, 333.81 bytes / s.
Overall sending rates: 7.95 packets / s, 333.81 bytes / s.
**TIMING STATS** (0.4559s): IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, cwnd/ssthresh/delay, timeout/srtt/rttvar/
   Groupstats (1/1 incomplete): 0/*/*/*/*/* 10.00/75/* 200000/-1/-1
   192.168.1.1: 0/0/0/2/1/0 10.00/75/0 200000/-1/-1
Current sending rates: 4.43 packets / s, 185.91 bytes / s.
Overall sending rates: 4.43 packets / s, 185.91 bytes / s.
ultrascan_host_probe_update called for machine 192.168.1.1 state UNKNOWN -> HOST_DOWN (trynum 1 time: 202890)
Moving 192.168.1.1 to completed hosts list with 1 outstanding probe.
* ARP
Completed ARP Ping Scan at 10:22, 0.45s elapsed (1 total hosts)
Overall sending rates: 4.40 packets / s, 184.89 bytes / s.
pcap stats: 8 packets received by filter, 0 dropped by kernel.
Nmap scan report for 192.168.1.1 [host down, received no-response]
Read from /usr/local/bin/../share/nmap: nmap-payloads.
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 0.50 seconds
           Raw packets sent: 2 (56B) | Rcvd: 0 (0B)
+++ exited with 0 +++

@dkudriavtsev

This comment has been minimized.

Copy link

dkudriavtsev commented Jan 10, 2019

Same on Arch

Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-10 03:39 PST
Fetchfile found /usr/bin/../share/nmap/nmap.xsl
The max # of sockets we are using is: 0
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
Fetchfile found /usr/bin/../share/nmap/nmap-payloads
Initiating ARP Ping Scan at 03:39
sendto(4, "\377\377\377\377\377\377\374\252\24u\247\256\10\6\0\1\10\0\6\4\0\1\374\252\24u\247\256\n\n\n2"..., 42, 0, {sa_family=AF_PACKET, sll_protocol=htons(ETH_P_ARP), sll_ifindex=if_nametoindex("eno1"), sll_hatype=ARPHRD_NETROM, sll_pkttype=PACKET_HOST, sll_halen=0}, 20) = -1 EINVAL (Invalid argument)
Scanning 10.10.10.1 [1 port]
Packet capture filter (device eno1): arp and arp[18:4] = 0xFCAA1475 and arp[22:2] = 0xA7AE
WARNING: eth_send of ARP packet returned -1 rather than expected 42 (errno=22: Invalid argument)
sendto(4, "\377\377\377\377\377\377\374\252\24u\247\256\10\6\0\1\10\0\6\4\0\1\374\252\24u\247\256\n\n\n2"..., 42, 0, {sa_family=AF_PACKET, sll_protocol=htons(ETH_P_ARP), sll_ifindex=if_nametoindex("eno1"), sll_hatype=ARPHRD_NETROM, sll_pkttype=PACKET_HOST, sll_halen=0}, 20) = -1 EINVAL (Invalid argument)
SENT (0.0335s) ARP who-has 10.10.10.1 tell 10.10.10.50
**TIMING STATS** (0.0337s): IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, cwnd/ssthresh/delay, timeout/srtt/rttvar/
   Groupstats (1/1 incomplete): 1/*/*/*/*/* 10.00/75/* 200000/-1/-1
   10.10.10.1: 1/0/0/1/0/0 10.00/75/0 200000/-1/-1
Current sending rates: 33.89 packets / s, 1423.20 bytes / s.
Overall sending rates: 33.89 packets / s, 1423.20 bytes / s.
WARNING: eth_send of ARP packet returned -1 rather than expected 42 (errno=22: Invalid argument)
SENT (0.2339s) ARP who-has 10.10.10.1 tell 10.10.10.50
**TIMING STATS** (0.2340s): IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, cwnd/ssthresh/delay, timeout/srtt/rttvar/
   Groupstats (1/1 incomplete): 1/*/*/*/*/* 10.00/75/* 200000/-1/-1
   10.10.10.1: 1/0/0/2/0/0 10.00/75/0 200000/-1/-1
Current sending rates: 8.70 packets / s, 365.40 bytes / s.
Overall sending rates: 8.70 packets / s, 365.40 bytes / s.
**TIMING STATS** (0.4342s): IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, cwnd/ssthresh/delay, timeout/srtt/rttvar/
   Groupstats (1/1 incomplete): 0/*/*/*/*/* 10.00/75/* 200000/-1/-1
   10.10.10.1: 0/0/0/2/1/0 10.00/75/0 200000/-1/-1
Current sending rates: 4.65 packets / s, 195.32 bytes / s.
Overall sending rates: 4.65 packets / s, 195.32 bytes / s.
ultrascan_host_probe_update called for machine 10.10.10.1 state UNKNOWN -> HOST_DOWN (trynum 1 time: 202432)
Moving 10.10.10.1 to completed hosts list with 1 outstanding probe.
* ARP
Completed ARP Ping Scan at 03:39, 0.43s elapsed (1 total hosts)
Overall sending rates: 4.63 packets / s, 194.38 bytes / s.
pcap stats: 0 packets received by filter, 0 dropped by kernel.
Nmap scan report for 10.10.10.1 [host down, received no-response]
Read from /usr/bin/../share/nmap: nmap-payloads.
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 0.46 seconds
           Raw packets sent: 2 (56B) | Rcvd: 0 (0B)
+++ exited with 0 +++
@dmiller-nmap

This comment has been minimized.

Copy link

dmiller-nmap commented Jan 10, 2019

Thanks everyone. I'll look over these results, but no need to send more at the moment.

@dmiller-nmap

This comment has been minimized.

Copy link

dmiller-nmap commented Jan 10, 2019

I think this might be a bug in Linux 4.20's AF_PACKET support, based on this fix in 4.20.1: torvalds/linux@6b8d95f

Can anyone upgrade to 4.20.1 and confirm whether Nmap ARP scan works again?

@michaelletzgus

This comment has been minimized.

Copy link

michaelletzgus commented Jan 12, 2019

Works with nmap 7.40 @ Kernel 4.20.1.

@frostworx

This comment has been minimized.

Copy link

frostworx commented Jan 14, 2019

also works fine with nmap-7.70 and 4.20.1-arch1-1-ARCH
thanks a lot! :)

@dmiller-nmap

This comment has been minimized.

Copy link

dmiller-nmap commented Jan 14, 2019

Awesome! I'm closing this issue, then, since the problem turned out to be a Linux kernel bug (not for the first time, and probably not the last).

@dmiller-nmap dmiller-nmap removed the bug label Jan 14, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment