LAN scan

[bob]

So, I have a service that runs on port X on a machine.

I want to scan a subnet of 192.168.0.* and see what machines are running this service.

Right now, I'm basically spawning about 255 threads that each attempt to make a TCP connection to 192.168.0.whatever. Sometimes machines seem to not get spotted.

Any ideas why some machines don't get spotted?

Is there a better way to do this?

Thanks.

[JJ]

Either some of them don't run the service, or they're blocked by their
firewall. Try pinging them if ping is not also blocked by the firewall.

[James Harris]

On May 16, 8:42 pm, bob <b...@coolfone.comze.com> wrote:
> So, I have a service that runs on port X on a machine.
>
> I want to scan a subnet of 192.168.0.* and see what machines are running this service.
>
> Right now, I'm basically spawning about 255 threads that each attempt to make a TCP connection to 192.168.0.whatever.  Sometimes machines seem to not get spotted.
>
> Any ideas why some machines don't get spotted?

Hard to say without seeing the code.

Maybe you could save some debugging info from each thread and then
compare it with what you expect to see.

> Is there a better way to do this?

It depends on the language. If you are using a Unix shell here is
something that works well:

http://codewiki.wikispaces.com/ipscan.sh

It spawns a number of parallel pings then collates the results. Check
the explanation for details.

If you are writing in C or similar and you want to avoid the threads
you could use the select() call. That should make it fairly easy to
handle the response from each TCP connection open.

Here is another parallel pinger which uses select() rather than
separate threads or processes. This one is in Python:

http://codewiki.wikispaces.com/pingr.py

With select() I always try to deal with inputs first so as to free up
OS resources before I send out more requests. In your case this could
mean having an array of responses initially set to 0 and then have a
main loop along these lines

loop
select()
if an input then set the array element to 1
and tidy up resources
else send out the next probe
end loop

The loop would end once all responses had been received or had timed
out.

In practice I expect you would get very quick responses back from the
machines which had the service and the rest could take a long time.

The "send out the next probe" line for your requirement would probably
be a connect() call. It looks like you might need to be aware of
various issues related to resources (on the local and remote machines)
and timing. See

http://linux.die.net/man/2/connect

If you are doing this in a work environment some people might be
concerned about security if the probes show up in logs etc.

Spawning of threads or processes is possibly a bit expensive for what
you want to do unless you run in to limits in the number of file
descriptors you can have open at one time.

James

[James Harris]

On May 17, 7:36 pm, James Harris <james.harri...@gmail.com> wrote:

...

Having replied I got wondering about how select() would work with
connect() and I found this which may be more help:

http://developerweb.net/viewtopic.php?id=3196

It talks about setting non-blocking and other things.

James