-
Notifications
You must be signed in to change notification settings - Fork 3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
d746f7a
commit 8048c57
Showing
4 changed files
with
82 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
# Why is it not as fast as I expect? | ||
|
||
## Question | ||
|
||
Why is scanning speed only around 100,000 packets-per-second instead of a million packets-per-second? | ||
|
||
## Answer | ||
|
||
I don't know. | ||
|
||
If you have the latest Linux distro on the latest hardware, you can sometime | ||
see scanning speeds of 1 million packets-per-second, even when virtualized. | ||
|
||
However, sometimes you also see only 100,000 packets-per-second. | ||
|
||
I've spent a lot of time trying to diagnose this situation and cannot | ||
figure out what's going on. The box I use in a colo does 500,000 packets-per-second. | ||
A relatively slow machine in my home lab does 1.2 million packets-per-second. | ||
|
||
The speed is determined by the operating system. The amount of CPU used by `masscan` | ||
itself is insignificant. | ||
|
||
My theory is various configuration options within the operating system that can make | ||
packet tranmission very slow. Simple features that would not otherwise impact network | ||
stacks that run at lower rates become really important at high rates. | ||
|
||
One way around this is to install `PF_RING` and decidate a network adapter to packet | ||
transmission completely bypassing the operating system. In that case, packet transmission | ||
rates can reach 15 million packets-per-second. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
# Why are many results missing that I expect? | ||
|
||
# Question | ||
|
||
When I do a scan, results are missing that I know are there. | ||
They show up when I repeat the scan, but then others are missing. | ||
The faster I scan, the more results are missing. | ||
|
||
# Answer | ||
|
||
Network infrastructure does not like high rates of small packets. | ||
Even though they can handle high **bit-rates** then cannot handle | ||
high **packet-rates**. | ||
|
||
This is what makes `masscan` so unique. It transmits packets at rates | ||
far higher than other things can cope with. It often crashes networks. | ||
|
||
Therefore, the faster you transmit packets, the more it overloads network | ||
equipmen, causing the packets to be dropped, causing probes to fail. | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
# How can I add my IP address to an exclude list so that people stop scanning me? | ||
|
||
# Question | ||
|
||
I hate everyone probing me all the time and want them to stop. | ||
How can I add my IP address ranges to an exclude list? | ||
|
||
# Answer | ||
|
||
You can't. | ||
|
||
First of all, nobody is going to pay attention to a sample exclude list | ||
within this project. Sure, I can add IP addresses to the list, but that | ||
won't help you. | ||
|
||
Second, there's no way I can confirm who you are. So I can't simply | ||
add to an exclude list just because you ask. | ||
|
||
Thirdly, it'll just make you more of a target, as smart hackers know to | ||
use the exclude-list as one of their first include-lists, as it marks | ||
people who have something to hide. | ||
|
||
Fourthly, and most importantly, it's Wrong Think on how to manage your | ||
network. | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
# FAQs (frequently asked questions) | ||
|
||
This directory contains some documents discussing frequently asked | ||
questions | ||
|
||
- 1 - [Why is it not as fast as I expect?](FAQ0001-slow.md) | ||
- 2 - [Why are many results missing that I expect?](FAQ0002-drops.md) | ||
- 3 - [How can I add my IPs to an official exlude list, to get people to stop scanning me?](FAQ0003-excludelist.md) |