Not receiving packets with PF_RING

[dadrian]

$ sudo ./bin/masscan -c scan.conf --echo
exclude.txt: excluding 807 ranges from file
rate =     100.00
randomize-hosts = true
seed = 13536124560216773452
shard = 1/1
# ADAPTER SETTINGS
adapter = dna1
adapter-ip = XXX.XXX.XXX.XXX
adapter-mac = 8b:36:9f:23:ab:22
router-mac = 4c:66:f2:28:fd:3f
# OUTPUT/REPORTING SETTINGS
output-format = list
show = open,,
output-filename = scan.out
rotate = 0
rotate-dir = .
rotate-offset = 0
rotate-filesize = 0
pcap =
# TARGET SELECTION (IP, PORTS, EXCLUDES)
ports = 80

capture = cert
nocapture = html
nocapture = heartbleed

min-packet = 60

Works fine without pf_ring on a regular interface. Other pf_ring applications work.

[robertdavidgraham]

Well, there appears to be a bug with "output-format = list". At least on my machine, I see now output with that configured. I don't know what, I'll debug.

Also, I see no target ranges specified, and I assume the "adapter-ip = XXX.XXX.XXX.XXX" is you editing the output of the echo command. Did you make any other changes?

On Wednesday, July 2, 2014 5:42 PM, David Adrian notifications@github.com wrote:

$ sudo ./bin/masscan -c scan.conf --echo exclude.txt: excluding 807 ranges from file rate = 100.00 randomize-hosts = true seed = 13536124560216773452 shard = 1/1

ADAPTER SETTINGS

adapter = dna1 adapter-ip = XXX.XXX.XXX.XXX adapter-mac = 8b:36:9f:23:ab:22 router-mac = 4c:66:f2:28:fd:3f

OUTPUT/REPORTING SETTINGS

output-format = list show = open,, output-filename = scan.out rotate = 0 rotate-dir = . rotate-offset = 0 rotate-filesize = 0 pcap =

TARGET SELECTION (IP, PORTS, EXCLUDES)

ports = 80 capture = cert nocapture = html nocapture = heartbleed min-packet = 60 Works fine without pf_ring on a regular interface. Other pf_ring applications work. — Reply to this email directly or view it on GitHub.

[robertdavidgraham]

Try running with debug info enabled -dddddddddd. That should give low-level info about opening the PF_RING drivers.

On , Robert Graham robert_david_graham@yahoo.com wrote:

Oh, wait, never mind about "output-format = list". I was reading the config wrong.

On , Robert Graham robert_david_graham@yahoo.com wrote:

Well, there appears to be a bug with "output-format = list". At least on my machine, I see now output with that configured. I don't know what, I'll debug.

Also, I see no target ranges specified, and I assume the "adapter-ip = XXX.XXX.XXX.XXX" is you editing the output of the echo command. Did you make any other changes?

On Wednesday, July 2, 2014 5:42 PM, David Adrian notifications@github.com wrote:

$ sudo ./bin/masscan -c scan.conf --echo exclude.txt: excluding 807 ranges from file rate = 100.00 randomize-hosts = true seed = 13536124560216773452 shard = 1/1

ADAPTER SETTINGS

adapter = dna1 adapter-ip = XXX.XXX.XXX.XXX adapter-mac = 8b:36:9f:23:ab:22 router-mac = 4c:66:f2:28:fd:3f

OUTPUT/REPORTING SETTINGS

output-format = list show = open,, output-filename = scan.out rotate = 0 rotate-dir = . rotate-offset = 0 rotate-filesize = 0 pcap =

TARGET SELECTION (IP, PORTS, EXCLUDES)

ports = 80 capture = cert nocapture = html nocapture = heartbleed min-packet = 60 Works fine without pf_ring on a regular interface. Other pf_ring applications work. — Reply to this email directly or view it on GitHub.

[robertdavidgraham]

Oh, wait, never mind about "output-format = list". I was reading the config wrong.

On , Robert Graham robert_david_graham@yahoo.com wrote:

Well, there appears to be a bug with "output-format = list". At least on my machine, I see now output with that configured. I don't know what, I'll debug.

Also, I see no target ranges specified, and I assume the "adapter-ip = XXX.XXX.XXX.XXX" is you editing the output of the echo command. Did you make any other changes?

On Wednesday, July 2, 2014 5:42 PM, David Adrian notifications@github.com wrote:

$ sudo ./bin/masscan -c scan.conf --echo exclude.txt: excluding 807 ranges from file rate = 100.00 randomize-hosts = true seed = 13536124560216773452 shard = 1/1

ADAPTER SETTINGS

adapter = dna1 adapter-ip = XXX.XXX.XXX.XXX adapter-mac = 8b:36:9f:23:ab:22 router-mac = 4c:66:f2:28:fd:3f

OUTPUT/REPORTING SETTINGS

output-format = list show = open,, output-filename = scan.out rotate = 0 rotate-dir = . rotate-offset = 0 rotate-filesize = 0 pcap =

TARGET SELECTION (IP, PORTS, EXCLUDES)

ports = 80 capture = cert nocapture = html nocapture = heartbleed min-packet = 60 Works fine without pf_ring on a regular interface. Other pf_ring applications work. — Reply to this email directly or view it on GitHub.

[dadrian]

I just edited the IP. I've been manually specifying a /24 as the target on the command line.

[dadrian]

It looks like it's ignoring transmits?

$ sudo ./bin/masscan -c scan.conf -ddddddddddddddddd XXX.XXX.XXX.0/24
exclude.txt: excluding 807 ranges from file
pfring: initializing subsystem
pfring: looking for 'libpfring.so'
pfring: found 'libpfring.so'!
pfring: successfully loaded PF_RING API
pfring: found 'ixgbe' driver
pfring: found 'pf_ring' driver
pfring: found 'pf_ring' driver module
initializing adapter
pfring:'dna1': opening...

pfring:'dna1': successfully opened
pfring: version 5.6.1
pfring:'dna1': setting direction
pfring:'dna1': direction success
pfring:'dna1': activating
pfring:'dna1': successfully enabled
rawsock: ignoring transmits
rawsock: initialization done
adapter initialization done.

Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2014-07-02 23:41:47 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 256 hosts [1 port/host]
xmit: starting transmit thread #0
recv: start receive thread #0
maxrate = 100.00,  0.00% done,   0:00:00 remaining, found=0
xmit: starting main loop: [0..256]
begin receive thread
Transmit thread done, waiting for receive thread to realize this
recv: end receive thread #0one, waiting 0-secs, found=0
xmit: stopping transmit thread #0
EXITING main thread00.00% done, waiting 0-secs, found=0

[robertdavidgraham]

Hmm. This may be the flushing bug.

PF_RING queues up packets to be sent, then send them as a group. Unless I flush the queue at the end of a scan, the last few packets get queued but not sent. Since your range is tiny, I think they are all getting queued by not sent.

I fixed this bug once. It may have come back. Unfortunately, PF_RING supporting isn't part of the regression test.

Try a larger scan and see what happens.

On Wednesday, July 2, 2014 7:43 PM, David Adrian notifications@github.com wrote:

It looks like it's ignoring transmits? $ sudo ./bin/masscan -c scan.conf -ddddddddddddddddd XXX.XXX.XXX.0/24 exclude.txt: excluding 807 ranges from file pfring: initializing subsystem pfring: looking for 'libpfring.so' pfring: found 'libpfring.so'! pfring: successfully loaded PF_RING API pfring: found 'ixgbe' driver pfring: found 'pf_ring' driver pfring: found 'pf_ring' driver module initializing adapter pfring:'dna1': opening... pfring:'dna1': successfully opened pfring: version 5.6.1 pfring:'dna1': setting direction pfring:'dna1': direction success pfring:'dna1': activating pfring:'dna1': successfully enabled rawsock: ignoring transmits rawsock: initialization done adapter initialization done. Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2014-07-02 23:41:47 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 256 hosts [1 port/host] xmit: starting transmit thread #0 recv: start receive thread #0 maxrate = 100.00, 0.00% done, 0:00:00 remaining, found=0 xmit: starting main loop: [0..256] begin receive thread Transmit thread done, waiting for receive thread to realize this recv: end receive thread #0one, waiting 0-secs, found=0 xmit: stopping transmit thread #0 EXITING main thread00.00% done, waiting 0-secs, found=0 — Reply to this email directly or view it on GitHub.

[dadrian]

It looks like it was related to the flushing - I was able to get results scanning a /16.