Problems with scanning

Jun 4, 2011 at 12:12 AM

i'm new with pcap .net.
Like it, but there a few things.

1. I have the feeling that the reading of packets is very delayed.
2. To know the library better i tried to make a simple Syn Scanner.


_packetCommunicator = _livePacketDevice.Open(65536, PacketDeviceOpenAttributes.Promiscuous, 1000);

new Thread(delegate()
{_packetCommunicator.ReceivePackets(0, HandleResponse);}).Start()

foreach(Endpoint endPoint in endPoints)
{
    SendSyn(endPoint.Address, endPoint.Port);
}
.........................................
private void HandleResponse(Packet responsePacket)
{
    if (tcpDatagram.ControlBits != (TcpControlBits.Synchronize | TcpControlBits.Acknowledgment))
       return;

    if (SequenceNumber != tcpDatagram.AcknowledgmentNumber - 1)
       return;

    openEndPointItems.Add(ipV4Datagram.Source, tcpDatagram.SourcePort);
}
................................................

 

I send synchronise packets to different hosts and handle the response as an open port. This seems extremly fast. Just need some seconds for 1000 ip's.
But after 600-1200 ip's i dont get any response from my sendet synchronise packets. I wondering what is blocking. Its SendPacket(send without any exception) or ReceivePackets(still gets some other packets).
What is freaky "allways a unamed thread exits before this happends and its not my thread).

I dont think its my os (WinXP) with some querky settings. Nmap runns and other scanning software runs as well.
What happend when i send a synchronise without an reset ? Is there a open connection for the os or networkcard or they dont think about the packets sendet by capturing ?
Where is my bottle neck ? 

Coordinator
Jun 4, 2011 at 9:25 PM

Your OS does get the packets send to it.

It will either ignore them or send a RST packet probably.

Look at Wireshark what packets are sent and received and see whether you just stop sending packets or packets stop arriving.

If you just stop sending packets it means there is something wrong with the code you wrote, you can try adding debug logs.

If you stop receiving packets it might be because of various reasons. Something is blocking your sent packets, the receiver of your packets ignores them or something is blocking the packets sent from it.

You can also try to send it slower and see if it has anything to do with speed.

Jun 4, 2011 at 11:58 PM

thanks for your reply brickner,

It dont stop sending packets. Receiving packets works as well, too.
It's seems i just dont get any response after to many requests.
Something around 1000 synchronize  packets. 

I send 260000 requests to endpoints in 20 seconds. What do you think will block
this ? Router, ISP ?...

If i decrease the speed the same problem appears by 1000 requests in  5 seconds.
Other scanner work with the speed. How is this possible ? 

 

Jun 5, 2011 at 5:34 PM

made a filter and use a stack to receive packets. now its run like it should.

Coordinator
Jun 7, 2011 at 9:14 AM

I'm glad that you've solved it!

What was the problem and what kind of filter did you do to solve it?

Jun 7, 2011 at 11:26 AM

No, the filter was just for the performance.  

To receive all packets i introduce a generic stack collection and push all packets in the callback method.
In a other thread i pop the packets and proceed it.

The sending problem i solved with waiting 1 millisecond between sending.
Without waiting anytime it seems the ethernet device gets blocked. 

Coordinator
Jun 9, 2011 at 3:15 PM

It's true, if you don't handle the packets quickly enough, you can lose packets.

Nice solution.

Mar 22, 2012 at 6:38 PM

Hi Ayke,

I'd be very interested by your code with your generic stack collection and your other thread to do background packets processings.

I'm looking for exactly this functionnality... :)

Thanks for your help and have a nice day!

François

 

Mar 23, 2012 at 10:18 AM

I send y an pm.

Mar 23, 2012 at 10:43 AM
Edited Mar 23, 2012 at 10:45 AM

Thanks Ayke for your feed-back! Did you already sent it?

 

Jun 19, 2012 at 3:07 AM

I'd love to see it too. I'm trying to integrate a fast SYN scanner into an existing .NET-based network auditing tool that my company uses.

Jun 19, 2012 at 1:36 PM

I dont have the project anymore. Just do it like i said. If you have any problems you can ask.

Jun 20, 2012 at 12:44 AM

I've just been looking for something to get me started.. I've never really used pcap.net or done any packet-level programming before. The developer that used to develop this tool is long gone so I'm just kind of fumbling around in the dark ;-)

Jun 22, 2012 at 4:39 PM

sorry for you.