tcpdump mailing list archives
Help wanted on port scanner
From: "Ronald F. Guilmette" <rfg () monkeys com>
Date: Fri, 31 Oct 2003 20:19:56 -0800
Greetings all, I've got a port scanner that I built with my own two little hands. It is built on top of libpcap and also libnet. It works just fine, some of the time. It's what it does the rest of the time that bothers me. This is a simple-minded sort of port scanner that performs essentially the same function as nmap with the -sS option (SYN scan mode). But it doesn't really work all that well and I'm hoping that somebody on this list will be able to give me a hint. In a nutshell, the thing uses the function in libnet to manufacture a TCP SYN packet. Once the packet has been manufactured, I use the `libnet_write_ip' function to send it on its way to the scan target. Prior to any sends however, I have forked off a separate process that uses libpcap just to listen for SYN+ACK response packets. This all works fairly well, except that it ONLY seems to work when I insert a delay via: usleep(1); after each packet send. Otherwise, when I do not have the inter-packet delay in there, a full port scan of any given IP address seems to finish almost instaneously, but then no ports show up as "open" on the target. This is extremely perplexing to me. It seems as if the underlying sendto() call being used within the implementation of `libnet_write_ip' is failing to block in cases where the packet to be sent cannot either be (a) immediately sent or else (b) buffered in kernel memory for the socket. Obviously if sendto() is known never to block when called for a RAW socket, then that could explain what I am seeing... i.e. the extra inter-packet delays that I artifically inserted with `usleep' are allowing the OS and the underlying hardware to ``catch up'' with my rate of packet sending, if and when I slow down the rate myself. So now, my questions for you experts: #1) Is sendto() known to never block on RAW sockets? If so, howz come I ain't never seen it say that anywhere on any of the numerous and sundry man pages I have been looking at? #2) If sendto() does not block when writing to RAW sockets, then is there any other way for me to match the rate at which my little program calls sendto() to the actual rate that packets can be sent out of my ethernet card? (I would prefer it if packets didn't just get discarded willy-nilly, as that makes the results of the port scan dramatically less complete.) #3) I read that there is another way of sending out packets, i.e. just simply writing them to the fd of the device file that is opened in some call to `pcap_open_live'. Would this be a better way to send packets out of my port scanner, i.e. better than trying to use the kernel's apparently unreliable `sendto' function to send them? Oh yea, and by the way, for whatever it's worth, the main platform for my scanner is FreeBSD (only up to 4.7 at the moment - will upgrade soon), but I _really_ do need to have the scanner work on Solaris also. Any help would be appreciated. Regards, rfg P.S. One idea that occured to me was that maybe I should use libpcap to _listen_ for my own outgoing packets, and then only send the next one when/if the last one has actually gotten sent out the interface. Is this a totally brilliant idea or (as I suspect) a totally dumb idea? P.P.S. If you write to me off-list and if your messages bounces, please don't fell insulted, and please DO use the contact form on my web site (www.monkeys.com) instead. (I have about half of the planet filtered out at the moment. Damn spammers!) - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- Help wanted on port scanner Ronald F. Guilmette (Oct 31)
- Re: Help wanted on port scanner Guy Harris (Nov 03)