No icmp results when scanning slowly

[BeanBagKing]

This is odd, I started typing this believing that it was simply when a large number of hosts were being scanned. However, I then found out the same behavior is exhibited when a single host is scanned, but it is done at a slow rate. It seems to be a slow rate/host that results in no ICMP discoveries.

I have a scan I have been running against my address space. When targeting a single host, I get back the expected ICMP result (Ports: 0/open/icmp////). However, when running the exact same scan, but using more than one host, eg. either a CIDR block (/24), input list (-iL), or even an individual listing of multiple hosts, I do not get back any ICMP results.

# masscan_discovery.conf only contains the ports = directive, with a large number of ports, including I:0

# This scan works, and returns the expected result ("port" 0 open, icmp)
masscan -c masscan_discovery.conf --open --rate 3500 192.168.1.23 -oG temp1.txt

# None of the below have any icmp results. As far as I can tell, the only difference is the number of hosts being scanned.
masscan -c masscan_discovery.conf --open --rate 3500 192.168.1.0/24 -oG temp2.txt
masscan -c masscan_discovery.conf --open --rate 3500 -iL ip_range.txt -oG temp3.txt
masscan -c masscan_discovery.conf --open --rate 3500 192.168.1.23 192.168.1.24 -oG temp4.txt

[root@rhel7:~]# grep icmp temp1.txt | wc -l
1
[root@rhel7:~]# grep icmp temp2.txt | wc -l 
0
[root@rhel7:~]# grep icmp temp3.txt | wc -l 
0
[root@rhel7:~]# grep icmp temp4.txt | wc -l 
0

Next, here's what happens when I try the scan at different rates. Note that the first scan is running at the default rate of 100pps, and the second scan is running at 3500pps (at 1409 ports, and 1 host, it's basically fire-hosing it).

[root@rhel7:~/]# masscan -c masscan_discovery.conf --ping --open 192.168.1.23

Starting masscan 1.0.6 (http://bit.ly/14GZzcT) at 2019-05-06 17:48:06 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [1409 ports/host]                            
Discovered open port 139/tcp on 192.168.1.23                                  
Discovered open port 445/tcp on 192.168.1.23                                                             
Discovered open port 3389/tcp on 192.168.1.23                                                              
Discovered open port 135/tcp on 192.168.1.23                                  
[root@rhel7:~/]#                                                
[root@rhel7:~/]# masscan -c masscan_discovery.conf --ping --rate 3500 --open 192.168.1.23 

Starting masscan 1.0.6 (http://bit.ly/14GZzcT) at 2019-05-06 17:48:53 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [1409 ports/host]                               
Discovered open port 3389/tcp on 192.168.1.23                                 
Discovered open port 0/icmp on 192.168.1.23                                                                   
Discovered open port 135/tcp on 192.168.1.23                                                              
Discovered open port 139/tcp on 192.168.1.23                                  
Discovered open port 445/tcp on 192.168.1.23      

Edit: forgot...

[root@rhel7:~]# masscan -V

Masscan version 1.0.6 ( https://github.com/robertdavidgraham/masscan )
Compiled on: May  6 2019 14:56:14
Compiler: gcc 4.8.5 20150623 (Red Hat 4.8.5-36)
OS: Linux
CPU: unknown (64 bits)
GIT version: 1.0.5-74-g3020e24
[root@rhel7:~]# masscan --regress
regression test: success!                            

Also, I noticed that when you use --echo, it corresponds to a "port" scan of I:0 (which is why I used it in my conf), when you --arp, you get I:2. Is there an I:1, or an I:3?

[fengchuan1021]

i got almost the same question,when the program running in the front terminal it prints pretty much results,when running in the background ,it has little result.so odd. I recommend that you using scamper to ping .