getting quick arp request

[seb]

Hello,

****************
What I need :
****************

I need to write a scanner that test all the IP adresses that repond on
a given port.
The Ip list is of roughly of length 200.
I need to get the response every 60 seconds (or better).

I would prefer first not to use nmap.

****************
Configuration :
*****************
Python 2.4.1.
To test what is going on I use ethereal.
I am using winXP pro on a 2GHZ P4 and 512 Mo.

***********
Problem :
***********

I tried to implement a simplistic threaded version where each thread is
opening a blocking socket on the IP and port.

I have monitored using etherereal that I get one arp query every second
roughly.

I am expecting a speed on the same oder of magnitude as the one that
one can get from a standard IP/port scanner. To compare, I have used
angry Ip scanner and I have seen that roughly 200 arp request where
sent in 20 seconds.

*******
Also :
*******

I have also considered using some asynchrone connection but AFAIK you
need first to open the socket and so to use the arp protocol.


Thanks I advance for your help.

Sebastien.

*****************
Code sample :
*****************

# Sebastien 6/9/2006 for testing purposes

import time
import Queue
from threading import *
import threading
import socket

try :
import psyco
psyco.full()
except :
pass

class socket_test (Thread):
def __init__ (self,adresse):
Thread.__init__(self)
self.PORT=21
self.adresse=str(adresse)
print "in thread adresse = ", self.adresse
self.service=[]
self.start()

def run(self) :
service_unit=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
service_unit.setblocking(1)
print "socket Ip = ",self.adresse

try :
service_unit.connect((str(self.adresse), self.PORT))
except Exception,e:
print "exception ",e

self.service.append(service_unit)



class groupe_thread :

def __init__(self,liste):
self.liste=liste

def go(self):
print "self.liste = ",self.liste
for el in self.liste :
print "go starting thread on : ",el
s=socket_test(el)




liste=[]
base ="192.168.3."
rang=range(1,50)
for r in rang:
add=base+str(r)
liste.append(add)
a=groupe_thread(liste)
ut= a.go()
print "the end (main) .."

 

[Ben Sizer]

I need to write a scanner that test all the IP adresses that repond on
a given port. ....
I am using winXP pro on a 2GHZ P4 and 512 Mo.

If you have XP Service Pack 2, it cripples port-scanning as part of a
'security' fix. Broadly speaking, it limits the rate at which you can
make connections at the OS level; this will show up as event 4226 in
the Event Viewer if it affects you.

 

[seb]

Hi Ben,

I am indeed using XP SP2.
I have checked on the event viewer and I have not seen the event 4226.

Besides I also run on the same PC angry Ip scanner 2.21. Checking using
ethereal the arp request are all dispatched quit quickly (see my mail
above).

Thanks for the advice anyway.
Sebastien.

 

[seb]

Hi Ben,

I am indeed using XP SP2.

-------------------------
Some more info :
-------------------------

1)
I have checked on the event viewer and I have not seen the event 4226
while I have run the code sample above.

2)
I can still see this error (4226) recently In the log so that I must
have bumped against this limit trying to put pull this out.

3)
I have installed today process explorer (from sysinternals).
I am not completly used to it but you can have a look at the TCP/IP
connections opened by the processes.
It appears that I have alwyas 10 connections opened (and the IP
adresses progress durning the scan from Ip adresse 192.168.3.1 -> 254).

4)
Besides I also run on the same PC angry Ip scanner 2.21. Checking using
ethereal the arp request are all dispatched quit quickly (see my mail
above).

------------------------
NEW RESULT :
-----------------------

Something is limiting the TCP/IP connections from my python program at
10 maximum at the same time.
I do not see this limit in my code.
I did not bumped over the 4226 error.

=> Where does this limit come from.
=> How can I overcome it.

Thanks for the advice anyway.
Sebastien.

 

[kondal]

Something is limiting the TCP/IP connections from my python program at
10 maximum at the same time.
I do not see this limit in my code.
I did not bumped over the 4226 error.

=> Where does this limit come from.
=> How can I overcome it.

You can just edit it by creating a new key in the registry.

HKEY_LOCAL_MACHINE - SYSTEM - CurrentControlSet - Services -Tcpip -
Parameters

Create a DWORD key named "TcpNumConnections" and set the value to
00fffffe or 16777214.

-kondal

 

[Ben Sizer]

You can just edit it by creating a new key in the registry.

HKEY_LOCAL_MACHINE - SYSTEM - CurrentControlSet - Services -Tcpip -
Parameters

Create a DWORD key named "TcpNumConnections" and set the value to
00fffffe or 16777214.

That's the maximum number of connections, which is unlikely to be what
he's running up against. It's more likely the original poster is
hitting the max number of half-open connections, which is limited to 10
(exactly the figure he's seeing). Perhaps the 4226 event just isn't
appearing for some reason. I've had that myself sometimes.

There is an unofficial OS-level patch for this behaviour at this
address: http://www.lvllord.de/?lang=en&url=downloads

No idea if it works or if it's safe, but many people use it.

 

[Steve Holden]

That's the maximum number of connections, which is unlikely to be what
he's running up against. It's more likely the original poster is
hitting the max number of half-open connections, which is limited to 10
(exactly the figure he's seeing). Perhaps the 4226 event just isn't
appearing for some reason. I've had that myself sometimes.

There is an unofficial OS-level patch for this behaviour at this
address: http://www.lvllord.de/?lang=en&url=downloads

No idea if it works or if it's safe, but many people use it.

Is it relevant to point out that the ARP protocol is a connectionless
network-layer protocol, so it would seem a little bogus of the Microsoft
stack to apply TCP control parameters to it.

regards
Steve

 

[Richard Brodie]

Is it relevant to point out that the ARP protocol is a connectionless network-layer
protocol.

Not really, since the program uses normal TCP socket connections.
The feature is working exactly as designed - to slow down TCP scans.
The arp requests are just a consequence of the TCP scan.

 

[Steve Holden]

Not really, since the program uses normal TCP socket connections.
The feature is working exactly as designed - to slow down TCP scans.
The arp requests are just a consequence of the TCP scan.

Ah. Right. Now you mention that (and force me to read the code I see
it's a horizontal scan of the FTP service port, and the subject line is
really a misnomer. Thanks.

regards
Steve

 

[seb]

Thank you all for the reply,

**************
More tests :
***************

1) I tried to input the D-word with the parameters and I did not see
anychanged (checked with process explorer. The limit of the
simultaneous connexion is always 10.

2)
I have applied the patch from
http://www.lvllord.de/?lang=en&url=downloads .
I could see that this improved the simultaneous sockets up to roughly
50.
This is enough for me.

3)
Since during the scan the first protocol used (and packet capteures) is
using the arp protocol, the subject may be indeed a misnomer.

************
Question :
*************
1)
I am not fully confident to apply the patch from
http://www.lvllord.de/?lang=en&url=downloads .on computers other than
mine.
Is there another solution ?

2)
Still without the above patch on windows, the software "angry ip scan"
for example managed to output a lot of more socket connection. How is
it possible ?

Regards.
Sebastien.

 

[Ben Sizer]

I am not fully confident to apply the patch from
http://www.lvllord.de/?lang=en&url=downloads .on computers other than
mine.

Fully understandable.

Is there another solution ?

I believe it is possible to overwrite the .dll that SP2 gives you with
the older one. Obviously you lose any other bug fixes or enhancements
Microsoft put in there. I don't remember the actual file in question,
sorry. And I don't suppose this is much more acceptable than the
previous 'solution'.

Still without the above patch on windows, the software "angry ip scan"
for example managed to output a lot of more socket connection. How is
it possible ?

It sends an ICMP ping to each address first, meaning it doesn't have to
waste time on trying a TCP connection to a host that doesn't respond.
This leads to fewer half-open connections.

It may also be that it implements part of its own TCP/IP stack, and
accessing the ethernet card directly, but I don't know how practical
that is for you. Ethereal and nmap appear to do this; you might want to
browse their open source code, and/or ask on their mailing lists or
forums.

 

[Daniel Nogradi]

2)

Still without the above patch on windows, the software "angry ip scan"
for example managed to output a lot of more socket connection. How is
it possible ?

This "angry ip scan" thing is written in Java, perhaps you can find it
out from the source:

http://svn.sourceforge.net/viewvc/ipscan/ipscan/src/net/azib/ipscan/