search

robertdavidgraham / masscan

TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.
GNU Affero General Public License v3.0
22.97k stars 3.02k forks source link

masscan with --pfring #358

Open bml0aGlu opened 6 years ago

bml0aGlu commented 6 years ago

2: [/lib64/libc.so.6(+0x35270) [0x7fa620d58270]] ?? ??:0 1: [masscan() [0x40d9e5]] ?? ??:0

comozo commented 5 years ago

Hi,

I have similar issue. Can you please give some pointers ?

Running on Ubuntu 16.04 LTS PF_RING information:

filename:       /lib/modules/4.4.0-138-generic/kernel/net/pf_ring/pf_ring.ko
alias:          net-pf-27
version:        7.3.0
description:    Packet capture acceleration and analysis
author:         ntop.org
license:        GPL
srcversion:     394213E7FF0262EDEC50765
depends:
retpoline:      Y
vermagic:       4.4.0-138-generic SMP mod_unload modversions retpoline
parm:           min_num_slots:Min number of ring slots (uint)
parm:           perfect_rules_hash_size:Perfect rules hash size (uint)
parm:           enable_tx_capture:Set to 1 to capture outgoing packets (uint)
parm:           enable_frag_coherence:Set to 1 to handle fragments (flow coherence) in clusters (uint)
parm:           enable_ip_defrag:Set to 1 to enable IP defragmentation(only rx traffic is defragmentead) (uint)
parm:           quick_mode:Set to 1 to run at full speed but with upto one socket per interface (uint)
parm:           force_ring_lock:Set to 1 to force ring locking (automatically enable with rss) (uint)
parm:           enable_debug:Set to 1 to enable PF_RING debug tracing into the syslog, 2 for more verbosity (uint)
parm:           transparent_mode:(deprecated) (uint)
PF_RING Version          : 7.3.0 (dev:342e61dfdb067447c512143dc8a812de1e3a5743)
Total rings              : 0

Standard (non ZC) Options
Ring slots               : 4096
Slot version             : 17
Capture TX               : Yes [RX+TX]
IP Defragment            : No
Socket Mode              : Standard
Cluster Fragment Queue   : 0
Cluster Fragment Discard : 0

Thank you,

masscan -p53 XXXXXXXXXXX/32 --adapter-ip XXXXXXX --adapter-mac XXXXXXXXXX --router-mac XXXXXXXXX --adapter zc:XXXXXXXX --pfring
======================================================================
 Segmentation fault: please post this backtrace to:
 https://github.com/robertdavidgraham/masscan/issues
======================================================================
2: [/lib/x86_64-linux-gnu/libc.so.6(+0x354b0) [0x7ff2e97464b0]]
?? ??:0
1: [masscan() [0x412213]]
handle_segfault at /home/XXXXXXX/masscan/src/pixie-backtrace.c:35
foxx commented 4 years ago

Same issue here, trying to figure out why but not having much luck :/

=# ./bin/masscan -p 80 --adapter-mac "XXX" --adapter-ip XXX --router-mac "XXX"  --pfring -i zc:enp66s0f0 8.0.0.0/8
======================================================================
 Segmentation fault: please post this backtrace to:
 https://github.com/robertdavidgraham/masscan/issues
======================================================================
2: [/lib/x86_64-linux-gnu/libc.so.6(+0x37840) [0x7f9b6c1fa840]]
?? ??:0
1: [./bin/masscan(+0x157d2) [0x5622c96437d2]]
?? ??:0
mzpqnxow commented 4 years ago

To use pfring/zero-copy networking with masscan, the following three things are required, as laid out by the ntop documentation:

  1. The pf_ring kernel driver pf_ring.ko
  2. The pf_ring userspace library libpfring.so
  3. The zc driver specific to your NIC; your NIC must be an Intel NIC that is explicitly supported

The list of supported cards is available here

At the end of the day, you want to not be loading the vanilla kernel driver for your card at all, you want to load only the _zc version

I'm going to guess that you didn't read the documentation on ntop.org very carefully and are using the vanilla driver for your NIC. Try running this:

 $ lsmod | grep -E  '^(e1000e|igb|ixgbe|i40e|fm10k)_zc'
igb_zc                233472  0

If you get no results, then you do not have the PF_RING/zero-copy version of the NIC driver loaded. You may have the PF_RING framework module loaded in the kernel but without a zc NIC driver, that does nothing for you.

If you remove the _zc from the grep command, you will probably see the vanilla driver for your card. This is just the standard kernel driver that your distribution provided (or you provided, if you built your own kernel)

So, you need to follow the instructions from ntop.org more carefully and make sure that after building the userspace and generic pf_ring.ko kernel driver, you continue on to build the kernel driver for your NIC.

Good luck. If you follow the instructions and you're using a standard kernel, things should be very easy. Note you may need to work a little if you have a custom/patched kernel or a bleeding edge kernel you built from source that ntop doesn't officially support yet.

mzpqnxow commented 4 years ago

NOTE: You can also use masscan --iflist and you will see if a NIC has successfully been zc enabled:

 $ masscan --iflist
 0  eth0    (PF_RING ZC)
 1  any     (Pseudo-device that captures on all interfaces)
 2  lo  (PF_RING)
 3  nflog   (Linux netfilter log (NFLOG) interface)
 4  nfqueue     (Linux netfilter queue (NFQUEUE) interface)
 5  usbmon1     (USB bus number 1)
 6  usbmon2     (USB bus number 2)
mzpqnxow commented 3 years ago

FYI: I recently ran into this issue on one of my systems using the pre-packaged PFRING- 7.6 I think?

Building from source fixed it. It was roughly the same issue, an immediate crash that was caused by dereferencing a NULL ptr. When I used strace to see what might be going on I noticed that there was an ioctl() failing immediately before the crash. strace was unable to decode the ioctl code, I believe it was something internal to libpfring.so that called it