faq

robertdavidgraham · Jan 25, 2021 · 8048c57 · 8048c57
1 parent d746f7a
commit 8048c57
Show file tree

Hide file tree

Showing 4 changed files with 82 additions and 0 deletions.
diff --git a/doc/faq/FAQ0001-slow.md b/doc/faq/FAQ0001-slow.md
@@ -0,0 +1,29 @@
+# Why is it not as fast as I expect?
+
+## Question
+
+Why is scanning speed only around 100,000 packets-per-second instead of a million packets-per-second?
+
+## Answer
+
+I don't know.
+
+If you have the latest Linux distro on the latest hardware, you can sometime
+see scanning speeds of 1 million packets-per-second, even when virtualized.
+
+However, sometimes you also see only 100,000 packets-per-second.
+
+I've spent a lot of time trying to diagnose this situation and cannot
+figure out what's going on. The box I use in a colo does 500,000 packets-per-second.
+A relatively slow machine in my home lab does 1.2 million packets-per-second.
+
+The speed is determined by the operating system. The amount of CPU used by `masscan`
+itself is insignificant.
+
+My theory is various configuration options within the operating system that can make
+packet tranmission very slow. Simple features that would not otherwise impact network
+stacks that run at lower rates become really important at high rates.
+
+One way around this is to install `PF_RING` and decidate a network adapter to packet
+transmission completely bypassing the operating system. In that case, packet transmission
+rates can reach 15 million packets-per-second.
diff --git a/doc/faq/FAQ0002-drops.md b/doc/faq/FAQ0002-drops.md
@@ -0,0 +1,20 @@
+# Why are many results missing that I expect?
+
+# Question
+
+When I do a scan, results are missing that I know are there.
+They show up when I repeat the scan, but then others are missing.
+The faster I scan, the more results are missing.
+
+# Answer
+
+Network infrastructure does not like high rates of small packets.
+Even though they can handle high **bit-rates** then cannot handle
+high **packet-rates**.
+
+This is what makes `masscan` so unique. It transmits packets at rates
+far higher than other things can cope with. It often crashes networks.
+
+Therefore, the faster you transmit packets, the more it overloads network
+equipmen, causing the packets to be dropped, causing probes to fail.
+
diff --git a/doc/faq/FAQ0003-excludelist.md b/doc/faq/FAQ0003-excludelist.md
@@ -0,0 +1,25 @@
+# How can I add my IP address to an exclude list so that people stop scanning me?
+
+# Question
+
+I hate everyone probing me all the time and want them to stop.
+How can I add my IP address ranges to an exclude list?
+
+# Answer
+
+You can't.
+
+First of all, nobody is going to pay attention to a sample exclude list
+within this project. Sure, I can add IP addresses to the list, but that
+won't help you.
+
+Second, there's no way I can confirm who you are. So I can't simply
+add to an exclude list just because you ask.
+
+Thirdly, it'll just make you more of a target, as smart hackers know to
+use the exclude-list as one of their first include-lists, as it marks
+people who have something to hide.
+
+Fourthly, and most importantly, it's Wrong Think on how to manage your
+network.
+
diff --git a/doc/faq/README.md b/doc/faq/README.md
@@ -0,0 +1,8 @@
+# FAQs (frequently asked questions)
+
+This directory contains some documents discussing frequently asked
+questions
+
+ - 1 - [Why is it not as fast as I expect?](FAQ0001-slow.md)
+ - 2 - [Why are many results missing that I expect?](FAQ0002-drops.md)
+ - 3 - [How can I add my IPs to an official exlude list, to get people to stop scanning me?](FAQ0003-excludelist.md)