getting quick arp request

seb

Hello,

****************
What I need :
****************

I need to write a scanner that test all the IP adresses that repond on
a given port.
The Ip list is of roughly of length 200.
I need to get the response every 60 seconds (or better).

I would prefer first not to use nmap.

****************
Configuration :
*****************
Python 2.4.1.
To test what is going on I use ethereal.
I am using winXP pro on a 2GHZ P4 and 512 Mo.

***********
Problem :
***********

I tried to implement a simplistic threaded version where each thread is
opening a blocking socket on the IP and port.

I have monitored using etherereal that I get one arp query every second
roughly.

I am expecting a speed on the same oder of magnitude as the one that
one can get from a standard IP/port scanner. To compare, I have used
angry Ip scanner and I have seen that roughly 200 arp request where
sent in 20 seconds.

*******
Also :
*******

I have also considered using some asynchrone connection but AFAIK you
need first to open the socket and so to use the arp protocol.
Thanks I advance for your help.

Sebastien.

*****************
Code sample :
*****************

# Sebastien 6/9/2006 for testing purposes

import time
import Queue
from threading import *
import threading
import socket

try :
import psyco
psyco.full()
except :
pass

class socket_test (Thread):
def __init__ (self,adresse):
Thread.__init__(self)
self.PORT=21
self.adresse=str(adresse)
print "in thread adresse = ", self.adresse
self.service=[]
self.start()

def run(self) :
service_unit=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
service_unit.setblocking(1)
print "socket Ip = ",self.adresse

try :
service_unit.connect((str(self.adresse), self.PORT))
except Exception,e:
print "exception ",e

self.service.append(service_unit)

class groupe_thread :

def __init__(self,liste):
self.liste=liste

def go(self):
print "self.liste = ",self.liste
for el in self.liste :
print "go starting thread on : ",el
s=socket_test(el)

liste=[]
base ="192.168.3."
rang=range(1,50)
for r in rang:
add=base+str(r)
liste.append(add)
a=groupe_thread(liste)
ut= a.go()
print "the end (main) .."

Sep 6 '06 #1

Subscribe Post Reply

2824

Ben Sizer

seb wrote:

I need to write a scanner that test all the IP adresses that repond on
a given port.

....

I am using winXP pro on a 2GHZ P4 and 512 Mo.

If you have XP Service Pack 2, it cripples port-scanning as part of a
'security' fix. Broadly speaking, it limits the rate at which you can
make connections at the OS level; this will show up as event 4226 in
the Event Viewer if it affects you.

--
Ben Sizer

Sep 6 '06 #2

seb

Hi Ben,

I am indeed using XP SP2.
I have checked on the event viewer and I have not seen the event 4226.

Besides I also run on the same PC angry Ip scanner 2.21. Checking using
ethereal the arp request are all dispatched quit quickly (see my mail
above).

Thanks for the advice anyway.
Sebastien.

Ben Sizer wrote:

seb wrote:
I need to write a scanner that test all the IP adresses that repond on
a given port.
...
I am using winXP pro on a 2GHZ P4 and 512 Mo.

If you have XP Service Pack 2, it cripples port-scanning as part of a
'security' fix. Broadly speaking, it limits the rate at which you can
make connections at the OS level; this will show up as event 4226 in
the Event Viewer if it affects you.

--
Ben Sizer

Sep 6 '06 #3

seb

Hi Ben,

I am indeed using XP SP2.

-------------------------
Some more info :
-------------------------

1)
I have checked on the event viewer and I have not seen the event 4226
while I have run the code sample above.

2)
I can still see this error (4226) recently In the log so that I must
have bumped against this limit trying to put pull this out.

3)
I have installed today process explorer (from sysinternals).
I am not completly used to it but you can have a look at the TCP/IP
connections opened by the processes.
It appears that I have alwyas 10 connections opened (and the IP
adresses progress durning the scan from Ip adresse 192.168.3.1 -254).

4)
Besides I also run on the same PC angry Ip scanner 2.21. Checking using
ethereal the arp request are all dispatched quit quickly (see my mail
above).

------------------------
NEW RESULT :
-----------------------

Something is limiting the TCP/IP connections from my python program at
10 maximum at the same time.
I do not see this limit in my code.
I did not bumped over the 4226 error.

=Where does this limit come from.
=How can I overcome it.

Thanks for the advice anyway.
Sebastien.

Ben Sizer wrote:

seb wrote:
I need to write a scanner that test all the IP adresses that repond on
a given port.
...
I am using winXP pro on a 2GHZ P4 and 512 Mo.

If you have XP Service Pack 2, it cripples port-scanning as part of a
'security' fix. Broadly speaking, it limits the rate at which you can
make connections at the OS level; this will show up as event 4226 in
the Event Viewer if it affects you.

--
Ben Sizer

Sep 6 '06 #4

kondal

Something is limiting the TCP/IP connections from my python program at
10 maximum at the same time.
I do not see this limit in my code.
I did not bumped over the 4226 error.

=Where does this limit come from.
=How can I overcome it.

You can just edit it by creating a new key in the registry.

HKEY_LOCAL_MACHINE - SYSTEM - CurrentControlSet - Services -Tcpip -
Parameters

Create a DWORD key named "TcpNumConnections" and set the value to
00fffffe or 16777214.

-kondal

Sep 6 '06 #5

Ben Sizer

kondal wrote:

Something is limiting the TCP/IP connections from my python program at
10 maximum at the same time.
I do not see this limit in my code.
I did not bumped over the 4226 error.

=Where does this limit come from.
=How can I overcome it.

You can just edit it by creating a new key in the registry.

HKEY_LOCAL_MACHINE - SYSTEM - CurrentControlSet - Services -Tcpip -
Parameters

Create a DWORD key named "TcpNumConnections" and set the value to
00fffffe or 16777214.

That's the maximum number of connections, which is unlikely to be what
he's running up against. It's more likely the original poster is
hitting the max number of half-open connections, which is limited to 10
(exactly the figure he's seeing). Perhaps the 4226 event just isn't
appearing for some reason. I've had that myself sometimes.

There is an unofficial OS-level patch for this behaviour at this
address: http://www.lvllord.de/?lang=en&url=downloads

No idea if it works or if it's safe, but many people use it.

--
Ben Sizer

Sep 7 '06 #6

Steve Holden

Ben Sizer wrote:

kondal wrote:

>>>Something is limiting the TCP/IP connections from my python program at
10 maximum at the same time.
I do not see this limit in my code.
I did not bumped over the 4226 error.

=Where does this limit come from.
=How can I overcome it.

You can just edit it by creating a new key in the registry.

HKEY_LOCAL_MACHINE - SYSTEM - CurrentControlSet - Services -Tcpip -
Parameters

Create a DWORD key named "TcpNumConnections" and set the value to
00fffffe or 16777214.

That's the maximum number of connections, which is unlikely to be what
he's running up against. It's more likely the original poster is
hitting the max number of half-open connections, which is limited to 10
(exactly the figure he's seeing). Perhaps the 4226 event just isn't
appearing for some reason. I've had that myself sometimes.

There is an unofficial OS-level patch for this behaviour at this
address: http://www.lvllord.de/?lang=en&url=downloads

No idea if it works or if it's safe, but many people use it.

Is it relevant to point out that the ARP protocol is a connectionless
network-layer protocol, so it would seem a little bogus of the Microsoft
stack to apply TCP control parameters to it.

regards
Steve
--
Steve Holden +44 150 684 7255 +1 800 494 3119
Holden Web LLC/Ltd http://www.holdenweb.com
Skype: holdenweb http://holdenweb.blogspot.com
Recent Ramblings http://del.icio.us/steve.holden

Sep 7 '06 #7

Richard Brodie

"Steve Holden" <st***@holdenweb.comwrote in message
news:ma*************************************@pytho n.org...

Is it relevant to point out that the ARP protocol is a connectionless network-layer
protocol.

Not really, since the program uses normal TCP socket connections.
The feature is working exactly as designed - to slow down TCP scans.
The arp requests are just a consequence of the TCP scan.

Sep 7 '06 #8

Steve Holden

Richard Brodie wrote:

"Steve Holden" <st***@holdenweb.comwrote in message
news:ma*************************************@pytho n.org...

>>Is it relevant to point out that the ARP protocol is a connectionless network-layer
protocol.

Not really, since the program uses normal TCP socket connections.
The feature is working exactly as designed - to slow down TCP scans.
The arp requests are just a consequence of the TCP scan.

Ah. Right. Now you mention that (and force me to read the code :-) I see
it's a horizontal scan of the FTP service port, and the subject line is
really a misnomer. Thanks.

regards
Steve
--
Steve Holden +44 150 684 7255 +1 800 494 3119
Holden Web LLC/Ltd http://www.holdenweb.com
Skype: holdenweb http://holdenweb.blogspot.com
Recent Ramblings http://del.icio.us/steve.holden

Sep 7 '06 #9

seb

Thank you all for the reply,

**************
More tests :
***************

1) I tried to input the D-word with the parameters and I did not see
anychanged (checked with process explorer. The limit of the
simultaneous connexion is always 10.

2)
I have applied the patch from
http://www.lvllord.de/?lang=en&url=downloads .
I could see that this improved the simultaneous sockets up to roughly
50.
This is enough for me.

3)
Since during the scan the first protocol used (and packet capteures) is
using the arp protocol, the subject may be indeed a misnomer.

************
Question :
*************
1)
I am not fully confident to apply the patch from
http://www.lvllord.de/?lang=en&url=downloads .on computers other than
mine.
Is there another solution ?

2)
Still without the above patch on windows, the software "angry ip scan"
for example managed to output a lot of more socket connection. How is
it possible ?

Regards.
Sebastien.

Steve Holden wrote:

Richard Brodie wrote:
"Steve Holden" <st***@holdenweb.comwrote in message
news:ma*************************************@pytho n.org...

>Is it relevant to point out that the ARP protocol is a connectionless network-layer
protocol.

Not really, since the program uses normal TCP socket connections.
The feature is working exactly as designed - to slow down TCP scans.
The arp requests are just a consequence of the TCP scan.

Ah. Right. Now you mention that (and force me to read the code :-) I see
it's a horizontal scan of the FTP service port, and the subject line is
really a misnomer. Thanks.

regards
Steve
--
Steve Holden +44 150 684 7255 +1 800 494 3119
Holden Web LLC/Ltd http://www.holdenweb.com
Skype: holdenweb http://holdenweb.blogspot.com
Recent Ramblings http://del.icio.us/steve.holden

Sep 7 '06 #10

Ben Sizer

seb wrote:

I am not fully confident to apply the patch from
http://www.lvllord.de/?lang=en&url=downloads .on computers other than
mine.

Fully understandable.

Is there another solution ?

I believe it is possible to overwrite the .dll that SP2 gives you with
the older one. Obviously you lose any other bug fixes or enhancements
Microsoft put in there. I don't remember the actual file in question,
sorry. And I don't suppose this is much more acceptable than the
previous 'solution'.

Still without the above patch on windows, the software "angry ip scan"
for example managed to output a lot of more socket connection. How is
it possible ?

It sends an ICMP ping to each address first, meaning it doesn't have to
waste time on trying a TCP connection to a host that doesn't respond.
This leads to fewer half-open connections.

It may also be that it implements part of its own TCP/IP stack, and
accessing the ethernet card directly, but I don't know how practical
that is for you. Ethereal and nmap appear to do this; you might want to
browse their open source code, and/or ask on their mailing lists or
forums.

--
Ben Sizer

Sep 7 '06 #11

Daniel Nogradi

Still without the above patch on windows, the software "angry ip scan"
for example managed to output a lot of more socket connection. How is
it possible ?

This "angry ip scan" thing is written in Java, perhaps you can find it
out from the source:

http://svn.sourceforge.net/viewvc/ip...t/azib/ipscan/

Sep 7 '06 #12

Similar topics

Session data getting corrupted.

by: Shiv | last post by:

I have a servlet driven web application using ServletExec 4.2 AS, IIS 4.0 as the platform. Some user data is stored is persisted in a user object at the beginning of the session which includes use...

Java

cgi.fieldstorage not getting POST data

by: Al Stoltz | last post by:

Greetings all. I've got a small web application (just a web interface to a MS-access database) and I recently upgraded ActiveState's python dist. from 2.2 to their latest (2.3.2 I think). In the...

Python

Getting the HTTP Content-Length Parameter

by: Nuno Magalhaes | last post by:

I'm doing a "low level" project that consists on monitoring certain QoS parameters such as: Time to resolve dns, time to connect, time to receive data, time to receive all web page, time to close...

C# / C Sharp

Getting class instance names via reflection

by: Shawnk | last post by:

I would like to get the class INSTANCE name (not type name) of an 'object'. I can get the object (l_obj_ref.GetType()) and then get the (l_obj_typ.Name) for the class name. I there any way of...

C# / C Sharp

quick onkeyup problem

by: alvinwoon | last post by:

URL: http://events.unl.edu/ Description: i coded a quick and dirty key navigation for the calendar. if you press left arrow on your keyboard, it will navigate to the previous date and fire an...

Javascript

How to turn on java script in a villaon keypad mobile phone

by: Charles Arthur | last post by:

How do i turn on java script on a villaon, callus and itel keypad mobile phone

Java

Merging data from multiple Excel files

by: ryjfgjl | last post by:

In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...

Data Management

Migrating Website to Cloud - Emmanuel Katto

by: emmanuelkatto | last post by:

Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel

General

Navigating the Data Structures and Algorithms (DSA)

by: BarryA | last post by:

What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...

Algorithms / Advanced Math

Looking to do Android software development, any suggestions? Is flutter better?

by: nemocccc | last post by:

hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?

General

How to build RAID in BIOS?

by: Hystou | last post by:

There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...

Computer Hardware

What is ONU?

by: marktang | last post by:

ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...

General

Changing the language in Windows 10

by: Hystou | last post by:

Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...

Windows Server

Problem With Comparison Operator <=> in G++

by: Oralloy | last post by:

Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...

C / C++