From owner-freebsd-net@FreeBSD.ORG Fri Oct 31 20:54:07 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0CABE16A4CE for ; Fri, 31 Oct 2003 20:54:07 -0800 (PST) Received: from segfault.monkeys.com (segfault.monkeys.com [66.60.159.24]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7018943F3F for ; Fri, 31 Oct 2003 20:54:06 -0800 (PST) (envelope-from rfg@monkeys.com) Received: from monkeys.com (unknown [127.0.0.1]) by segfault.monkeys.com (Postfix) with ESMTP id 45D3841F5A for ; Fri, 31 Oct 2003 20:54:06 -0800 (PST) To: freebsd-net@freebsd.org Date: Fri, 31 Oct 2003 20:54:06 -0800 Message-ID: <22763.1067662446@monkeys.com> From: "Ronald F. Guilmette" Subject: Help wanted on port scanner X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Nov 2003 04:54:07 -0000 Greetings all, I've got a port scanner that I built with my own two little hands. It is built on top of libpcap and also libnet. It works just fine, some of the time. It's what it does the rest of the time that bothers me. This is a simple-minded sort of port scanner that performs essentially the same function as nmap with the -sS option (SYN scan mode). But it doesn't really work all that well and I'm hoping that somebody on this list will be able to give me a hint. In a nutshell, the thing uses a function in libnet to manufacture a TCP SYN packet. Once the packet has been manufactured, I use the `libnet_write_ip' function to send it on its way to the scan target. Prior to any sends however, I fork off a separate process that uses libpcap just to listen for SYN+ACK response packets. This all works fairly well, except that it ONLY seems to work when I insert a delay via: usleep(1); after each packet sent. Otherwise, when I do not have the inter-packet delay in the program, a full port scan of any given target seems to finish almost instaneously, but then -zero- ports show up as "open" on the target. This is extremely perplexing to me. It seems as if the underlying sendto() call being used within the implementation of `libnet_write_ip' is failing to block in cases where the packet to be sent cannot either be immediately sent or else buffered in kernel memory. Obviously if sendto() is known to never block when called for a RAW socket, then that could explain what I am seeing... i.e. the extra inter-packet delays that I artifically inserted (with `usleep') are allowing the OS and the underlying hardware to ``catch up'' with my rate of packet sending. So now, my questions: #1) Is sendto() known to never block on RAW sockets? If so, how come I haven't ever seen it say that anywhere on any of the numerous and sundry man pages I have been looking at? #2) If sendto() does not block when writing to RAW sockets, then is there any other way for me to match the rate at which my little program calls sendto() to the actual rate that packets can be sent out of my ethernet card? (I would prefer it if packets didn't just get discarded willy-nilly, as that makes the results of the port scan dramatically less complete.) #3) I read that there is another way of sending out packets, i.e. just simply writing them to the fd of the device file that is opened in some call to `pcap_open_live'. Would this be a better way to send packets out of my port scanner, i.e. better than trying to use the kernel's apparently unreliable `sendto' function to send them? Oh yea, and by the way, for whatever it's worth, the main platform for my scanner is FreeBSD (only up to 4.7 at the moment - will upgrade soon), but I _really_ do need to have the scanner work on Solaris also. Any help would be appreciated. Regards, rfg P.S. One idea that occured to me was that maybe I should use libpcap to _listen_ for my own outgoing packets, and then only send the next one when/if the last one has actually gotten sent out the interface. Is this a totally brilliant idea or (as I suspect) a totally dumb idea? P.P.S. If you write to me off-list and if your message bounces, please don't feel insulted, and please DO use the contact form on my web site (www.monkeys.com) instead. (I have about half of the planet filtered out at the moment. Damn spammers!) I'm subscribed to freebsd-net now, so really the simplest thing would just be to reply on-list if you have any help or hints for me.