Pcap.Net

ayke

Jun 3, 2011 at 11:12 PM

i'm new with pcap .net.
Like it, but there a few things.

1. I have the feeling that the reading of packets is very delayed.
2. To know the library better i tried to make a simple Syn Scanner.

_packetCommunicator = _livePacketDevice.Open(65536, PacketDeviceOpenAttributes.Promiscuous, 1000);

new Thread(delegate()
{_packetCommunicator.ReceivePackets(0, HandleResponse);}).Start()

foreach(Endpoint endPoint in endPoints)
{
    SendSyn(endPoint.Address, endPoint.Port);
}
.........................................
private void HandleResponse(Packet responsePacket)
{
    if (tcpDatagram.ControlBits != (TcpControlBits.Synchronize | TcpControlBits.Acknowledgment))
       return;

    if (SequenceNumber != tcpDatagram.AcknowledgmentNumber - 1)
       return;

    openEndPointItems.Add(ipV4Datagram.Source, tcpDatagram.SourcePort);
}
................................................

I send synchronise packets to different hosts and handle the response as an open port. This seems extremly fast. Just need some seconds for 1000 ip's.
But after 600-1200 ip's i dont get any response from my sendet synchronise packets. I wondering what is blocking. Its SendPacket(send without any exception) or ReceivePackets(still gets some other packets).
What is freaky "allways a unamed thread exits before this happends and its not my thread).

I dont think its my os (WinXP) with some querky settings. Nmap runns and other scanning software runs as well.
What happend when i send a synchronise without an reset ? Is there a open connection for the os or networkcard or they dont think about the packets sendet by capturing ?
Where is my bottle neck ?

brickner

Coordinator

Jun 4, 2011 at 8:25 PM

Your OS does get the packets send to it.

It will either ignore them or send a RST packet probably.

Look at Wireshark what packets are sent and received and see whether you just stop sending packets or packets stop arriving.

If you just stop sending packets it means there is something wrong with the code you wrote, you can try adding debug logs.

If you stop receiving packets it might be because of various reasons. Something is blocking your sent packets, the receiver of your packets ignores them or something is blocking the packets sent from it.

You can also try to send it slower and see if it has anything to do with speed.

ayke

Jun 4, 2011 at 10:58 PM

thanks for your reply brickner,

It dont stop sending packets. Receiving packets works as well, too.
It's seems i just dont get any response after to many requests.
Something around 1000 synchronize packets.

I send 260000 requests to endpoints in 20 seconds. What do you think will block
this ? Router, ISP ?...

If i decrease the speed the same problem appears by 1000 requests in 5 seconds.
Other scanner work with the speed. How is this possible ?

ayke

Jun 5, 2011 at 4:34 PM

made a filter and use a stack to receive packets. now its run like it should.

brickner

Coordinator

Jun 7, 2011 at 8:14 AM

I'm glad that you've solved it!

What was the problem and what kind of filter did you do to solve it?

ayke

Jun 7, 2011 at 10:26 AM

No, the filter was just for the performance.

To receive all packets i introduce a generic stack collection and push all packets in the callback method.
In a other thread i pop the packets and proceed it.

The sending problem i solved with waiting 1 millisecond between sending.
Without waiting anytime it seems the ethernet device gets blocked.

brickner

Coordinator

Jun 9, 2011 at 2:15 PM

It's true, if you don't handle the packets quickly enough, you can lose packets.

Nice solution.

FrancoisM

Mar 22, 2012 at 5:38 PM

Hi Ayke,

I'd be very interested by your code with your generic stack collection and your other thread to do background packets processings.

I'm looking for exactly this functionnality... :)

Thanks for your help and have a nice day!

François

ayke

Mar 23, 2012 at 9:18 AM

I send y an pm.

FrancoisM

Mar 23, 2012 at 9:43 AM

Edited Mar 23, 2012 at 9:45 AM

Thanks Ayke for your feed-back! Did you already sent it?

TKraken

Jun 19, 2012 at 2:07 AM

I'd love to see it too. I'm trying to integrate a fast SYN scanner into an existing .NET-based network auditing tool that my company uses.

ayke

Jun 19, 2012 at 12:36 PM

I dont have the project anymore. Just do it like i said. If you have any problems you can ask.

TKraken

Jun 19, 2012 at 11:44 PM

I've just been looking for something to get me started.. I've never really used pcap.net or done any packet-level programming before. The developer that used to develop this tool is long gone so I'm just kind of fumbling around in the dark ;-)

ayke

Jun 22, 2012 at 3:39 PM

sorry for you.

ayke Jun 3, 2011 at 11:12 PM	i'm new with pcap .net. Like it, but there a few things. 1. I have the feeling that the reading of packets is very delayed. 2. To know the library better i tried to make a simple Syn Scanner. _packetCommunicator = _livePacketDevice.Open(65536, PacketDeviceOpenAttributes.Promiscuous, 1000); new Thread(delegate() {_packetCommunicator.ReceivePackets(0, HandleResponse);}).Start() foreach(Endpoint endPoint in endPoints) { SendSyn(endPoint.Address, endPoint.Port); } ......................................... private void HandleResponse(Packet responsePacket) { if (tcpDatagram.ControlBits != (TcpControlBits.Synchronize \| TcpControlBits.Acknowledgment)) return; if (SequenceNumber != tcpDatagram.AcknowledgmentNumber - 1) return; openEndPointItems.Add(ipV4Datagram.Source, tcpDatagram.SourcePort); } ................................................ I send synchronise packets to different hosts and handle the response as an open port. This seems extremly fast. Just need some seconds for 1000 ip's. But after 600-1200 ip's i dont get any response from my sendet synchronise packets. I wondering what is blocking. Its SendPacket(send without any exception) or ReceivePackets(still gets some other packets). What is freaky "allways a unamed thread exits before this happends and its not my thread). I dont think its my os (WinXP) with some querky settings. Nmap runns and other scanning software runs as well. What happend when i send a synchronise without an reset ? Is there a open connection for the os or networkcard or they dont think about the packets sendet by capturing ? Where is my bottle neck ?

brickner Coordinator Jun 4, 2011 at 8:25 PM	Your OS does get the packets send to it. It will either ignore them or send a RST packet probably. Look at Wireshark what packets are sent and received and see whether you just stop sending packets or packets stop arriving. If you just stop sending packets it means there is something wrong with the code you wrote, you can try adding debug logs. If you stop receiving packets it might be because of various reasons. Something is blocking your sent packets, the receiver of your packets ignores them or something is blocking the packets sent from it. You can also try to send it slower and see if it has anything to do with speed.

ayke Jun 4, 2011 at 10:58 PM	thanks for your reply brickner, It dont stop sending packets. Receiving packets works as well, too. It's seems i just dont get any response after to many requests. Something around 1000 synchronize packets. I send 260000 requests to endpoints in 20 seconds. What do you think will block this ? Router, ISP ?... If i decrease the speed the same problem appears by 1000 requests in 5 seconds. Other scanner work with the speed. How is this possible ?

ayke Jun 5, 2011 at 4:34 PM	made a filter and use a stack to receive packets. now its run like it should.

brickner Coordinator Jun 7, 2011 at 8:14 AM	I'm glad that you've solved it! What was the problem and what kind of filter did you do to solve it?

ayke Jun 7, 2011 at 10:26 AM	No, the filter was just for the performance. To receive all packets i introduce a generic stack collection and push all packets in the callback method. In a other thread i pop the packets and proceed it. The sending problem i solved with waiting 1 millisecond between sending. Without waiting anytime it seems the ethernet device gets blocked.

brickner Coordinator Jun 9, 2011 at 2:15 PM	It's true, if you don't handle the packets quickly enough, you can lose packets. Nice solution.

FrancoisM Mar 22, 2012 at 5:38 PM	Hi Ayke, I'd be very interested by your code with your generic stack collection and your other thread to do background packets processings. I'm looking for exactly this functionnality... :) Thanks for your help and have a nice day! François

ayke Mar 23, 2012 at 9:18 AM	I send y an pm.

FrancoisM Mar 23, 2012 at 9:43 AM Edited Mar 23, 2012 at 9:45 AM	Thanks Ayke for your feed-back! Did you already sent it?

TKraken Jun 19, 2012 at 2:07 AM	I'd love to see it too. I'm trying to integrate a fast SYN scanner into an existing .NET-based network auditing tool that my company uses.

ayke Jun 19, 2012 at 12:36 PM	I dont have the project anymore. Just do it like i said. If you have any problems you can ask.

TKraken Jun 19, 2012 at 11:44 PM	I've just been looking for something to get me started.. I've never really used pcap.net or done any packet-level programming before. The developer that used to develop this tool is long gone so I'm just kind of fumbling around in the dark ;-)

ayke Jun 22, 2012 at 3:39 PM	sorry for you.

Updating...

Problems with scanning

Text Formatting

Lists

Quotes

Code

References

Updating...

Problems with scanning

Text Formatting

Lists

Quotes

Code

References

Delete Post X

Delete Thread X