Re: Problematic libpcap on Ubuntu 14.04

[Daniel Miller <bonsaiviking () gmail com>]

On Mon, Jun 23, 2014 at 7:28 PM, <nnposter () users sourceforge net> wrote:

> Hello,
> Perhaps it is a known issue but I am experiencing a problem with nmap
> when compiled with libpcap from Ubuntu 14.04 LTS (libpcap0.8 1.5.3-2).
> There is a clear speed difference and the performance is outright
> horrible when executed in a virtualized environment.
>
> Specifically, I am observing the following when running a simple syn scan
> ("-v -n") with rev.33049:
>
> * 12.04 on bare metal: ~0.2s
> * 14.04 on bare metal: ~2s
> * 14.04 on bare metal, --with-libpcap=included: ~0.3s
> * 12.04 on Win7 VMware Wkstn: <0.1s
> * 14.04 on Win7 VMware Wkstn: 4-80s, reported packet loss (see below)
> * 14.04 on Win7 VMware Wkstn, --with-libpcap=included: ~0.2s
>
> Increasing send delay for A.B.C.D from 0 to 5 due to 36 out of 119 dropped
> probes since last increase.
> Increasing send delay for A.B.C.D from 5 to 10 due to 12 out of 40 dropped
> probes since last increase.
> Increasing send delay for A.B.C.D from 10 to 20 due to 11 out of 29
> dropped probes since last increase.
> Increasing send delay for A.B.C.D from 20 to 40 due to 11 out of 25
> dropped probes since last increase.
> Increasing send delay for A.B.C.D from 40 to 80 due to 11 out of 29
> dropped probes since last increase.
>
> OS configuration does not appear to be relevant:
>
> * 14.04 Desktop, Server, and Minimal Server Build are all problematic.
> * Lance, vmxnet3, and e1000 NICs are all problematic.
> * Bridged and NATed modes are both problematic.
> * Kernels 3.13.0-24 and -29 are both problematic.
> * Uni- and SMP are both problematic.
> * VMware Tools and Open VM Tools are both problematic.
>
> Network observations:
>
> * All outbound and inbound packets have correct IP and TCP checksums
>   (as observed by Wireshark instances on both the VMware host and the
>   guest).
> * All SYN packets were responded to and the responses were received
>   by the VMware host and the guest. In other words, no actual packet
>   loss seems to occur.
>
> The obvious hypothesis is that libpcap in Ubuntu 14.04 is somehow
> broken. However, it is worth noting that the bundled Wireshark,
> specifically dumpcap, does use the shared libpcap and it did not have
> problem with keeping track of the scan.
>
> Potentially relevant discussion:
> http://seclists.org/nmap-dev/2014/q2/341
>
>
> Cheers,
> nnposter
I've posted a few notes on the bug report that you submitted [1], but I'm
replying here to bring in some more expertise, I hope.

The basic problem I'm seeing is a call to select() on a pcap fd (returned
by pcap_get_selectable_fd) which returns the fd ready for reading but only
*after* the timeout has expired. I'm pretty sure this is causing us to miss
results, or at least to timeout on probes when we really did receive a
response.

I'm not really sure what to do here: I don't see a bug in Nmap's code, but
I would really like to get this fixed for everyone using Ubuntu. The
performance hits are really quite bad, and likely to get worse with longer
scans, since these ping timeouts will result in increased scan delays,
which is one of Nmap's worst performance killers.

Dan

[1] https://github.com/nmap/nmap/issues/34

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/