Help wanted on port scanner

["Ronald F. Guilmette" <rfg () monkeys com>]

Greetings all,

I've got a port scanner that I built with my own two little hands.
It is built on top of libpcap and also libnet.

It works just fine, some of the time.

It's what it does the rest of the time that bothers me.

This is a simple-minded sort of port scanner that performs essentially
the same function as nmap with the -sS option (SYN scan mode).  But
it doesn't really work all that well and I'm hoping that somebody on
this list will be able to give me a hint.

In a nutshell, the thing uses the function in libnet to manufacture
a TCP SYN packet.  Once the packet has been manufactured, I use the
`libnet_write_ip' function to send it on its way to the scan target.
Prior to any sends however, I have forked off a separate process that
uses libpcap just to listen for SYN+ACK response packets.

This all works fairly well, except that it ONLY seems to work when I
insert a delay via:

        usleep(1);

after each packet send.  Otherwise, when I do not have the inter-packet
delay in there, a full port scan of any given IP address seems to finish
almost instaneously, but then no ports show up as "open" on the target.

This is extremely perplexing to me.  It seems as if the underlying
sendto() call being used within the implementation of `libnet_write_ip'
is failing to block in cases where the packet to be sent cannot either
be (a) immediately sent or else (b) buffered in kernel memory for the
socket.

Obviously if sendto() is known never to block when called for a RAW
socket, then that could explain what I am seeing... i.e. the extra
inter-packet delays that I artifically inserted with `usleep' are
allowing the OS and the underlying hardware to ``catch up'' with my
rate of packet sending, if and when I slow down the rate myself.

So now, my questions for you experts:

#1)  Is sendto() known to never block on RAW sockets?  If so, howz come I
ain't never seen it say that anywhere on any of the numerous and sundry
man pages I have been looking at?

#2)  If sendto() does not block when writing to RAW sockets, then is there
any other way for me to match the rate at which my little program calls
sendto() to the actual rate that packets can be sent out of my ethernet
card?  (I would prefer it if packets didn't just get discarded willy-nilly,
as that makes the results of the port scan dramatically less complete.)

#3)  I read that there is another way of sending out packets, i.e. just
simply writing them to the fd of the device file that is opened in some
call to `pcap_open_live'.  Would this be a better way to send packets
out of my port scanner, i.e. better than trying to use the kernel's
apparently unreliable `sendto' function to send them?

Oh yea, and by the way, for whatever it's worth, the main platform for
my scanner is FreeBSD (only up to 4.7 at the moment - will upgrade soon),
but I _really_ do need to have the scanner work on Solaris also.

Any help would be appreciated.


Regards,
rfg


P.S.  One idea that occured to me was that maybe I should use libpcap to
_listen_ for my own outgoing packets, and then only send the next one
when/if the last one has actually gotten sent out the interface.  Is
this a totally brilliant idea or (as I suspect) a totally dumb idea?

P.P.S.  If you write to me off-list and if your messages bounces, please
don't fell insulted, and please DO use the contact form on my web site
(www.monkeys.com) instead.  (I have about half of the planet filtered
out at the moment.  Damn spammers!)
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe