Nmap Development mailing list archives
bandwidth consumption during scanning
From: "testic" <testic () testic demon co uk>
Date: Sun, 7 Dec 2003 18:42:53 -0000
Additional to my previous post regarding the amount of bandwidth/network-strain used/caused during a typical scan I ran Nmap against a machine on a local network in conjunction with tcpdump to see just how much data was generated. Nmap was run as follows and gave the following results: $ nmap -sT -O -sVVV -P0 -F -T5 10.10.1.10 Starting nmap 3.48 ... Interesting ports on 10.10.1.10: (The 1210 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 139/tcp open netbios-ssn No exact OS matches for host ... TCP/IP fingerprint: (I will post this 'new' fingerprint later, it was win98 :) ) Nmap run completed -- 1 IP address (1 host up) scanned in 30.116 seconds I had a look in the Nmap man page to see exactly what 'closed' means, but I couldnt see a definition for it, defined were 'filtered' 'un-filtered' and 'open', perhaps my man page is an old one... I understand 'closed' to mean that no response at all was recieved from that particular port, which is strange because the target host in question is an un-firewalled Windows98 machine which I believe would send an RST for ports which arent fully open. Not that it really matters in this instance, its just that ports that arent fully open and do send a response to indicate that a connection wont be accepted would generate more data. tcpdump (with -w) said: 2480 packets received by filter 0 packets dropped by kernel The total size of the dumped file was 206,212 bytes and was a total of data both sent and recieved. Presumably more packet data would have been captured if more than one port was open. If this scan had been run on 80,000 hosts all giving the same results the size of data would have been 15,733MB, thats 198.4 million packets. Just out of interest I ran a few Nmap scans against the same machine with different options and measured the size of data, tcpdump was run with the same arguments each time: # A basic connect() scan. nmap -sT -P0 -F -T5 10.10.1.10 198k # A basic connect() scan with OS detection. nmap -sT -P0 -F -T5 -O 10.10.1.10 201k # A basic connect() scan with lots of service probing (1 service found). nmap -sT -P0 -F -T5 -sVVV 10.10.1.10 198k # A basic connect() scan with lots of service probing (7 services found, 3 known, 4 unknown). # The same machine and everything, I just opened a few services. nmap -sT -P0 -F -T5 -sVVV 10.10.1.10 258k # A basic connect() scan with lots of service probing (3 services found, 0 unknown). # I closed the unknown services. nmap -sT -P0 -F -T5 -sVVV 10.10.1.10 209k At this point it became apparent that programs on the targest host had started crashing inexplicably so I thought it best to stop ;) testic --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List archive: http://seclists.org
Current thread:
- bandwidth consumption during scanning testic (Dec 07)