Nmap Development mailing list archives
Re: some nmap tools
From: "Akbar Ali" <kaber () aliansystems com>
Date: Sun, 7 Dec 2003 13:23:30 -0800
Might take a while to scan all those hosts, a lot of firewalls don't respond to requests and will just sit there.. And when you scan, be prepared for your logs to grow quite a bit, many servers will drop an icmp echo requset to you after they get scanned. -akbara. ;http://vertexabuse.cjb.net ----- Original Message ----- From: "testic+testic" <testic () testic demon co uk> To: "nmap" <nmap-dev () insecure org> Sent: Sunday, December 07, 2003 7:06 AM Subject: Re: some nmap tools
was intrigued by the idea of scanning such a large number of hosts, especially doing all the scanning from a single machine. I did some quick calculations in order to get a perspective. Assuming all TCP packets (SYN, ACK, FIN etc) are all the same size of 160 bits (20 bytes)... We send a SYN packet to a remote port... If the remote port is 'open', ie a service is listening on that port, the sender will recieve a SYN/ACK. If the port is 'filtered' the sender will recieve an RST packet. If the port is 'closed' nothing at all will be recieved. In 'filtered' and 'closed' states the sender need send no more data at
all.
Only in 'open' state does any further data need to be sent, in this state
we
will be sending a further ACK and also we need to close the connection,
Nmap
I believe will neatly close the connection using FIN. As far as I can tell this will result in FIN, CLOSE and FIN/ACK packets being sent and FIN/ACK and FIN packets being recieved. For simplicity I am assuming all these
basic
packet are the same size of 160 bits (20 bytes). Assuming a remote host has 2 'open' ports and 2 'filtered' ports, and
given
that there are 1223 services in nmap-services this will result in: 1,223 SYN's being sent. (195,680 bits (24,460 bytes)) 2 RST's being recieved ('filtered' ports) (320 bits (40 bytes)) 2 SYN/ACK's recieved ('open' ports) (320 bits (40 bytes)) 2 ACK's sent (final part of 3-way handshake) (320 bits (40 bytes)) 2 x FIN, CLOSE and FIN/ACK sent (for closing the open connection) (a total of 960 bits (120 bytes)) 2 x FIN/ACK and FIN recieved (for closing the open connection) (a total of 480 bits (60 bytes)) Total sent per host: 196960 bits (24620 bytes) Total recieved per host:
1120
bits (140 bytes). If there are 80,000 hosts to be scanned that is a grand total of 15756.8 million bits (1878.36 MB) being sent and 89.6 million bits (10.68 MB)
being
recieved. To put it another way, 98.48 million packets are sent and
640,000
are recieved. If this scan takes 10 hours to complete then 2735 packets are sent per second! testic PS, apologies for any errors :) --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List archive: http://seclists.org
--------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List archive: http://seclists.org
Current thread:
- some nmap tools MadHat (Dec 06)
- Re: some nmap tools Bo Cato (Dec 07)
- Re: some nmap tools MadHat (Dec 07)
- RE: some nmap tools Hasnain Atique (Dec 07)
- Re: some nmap tools MadHat (Dec 07)
- RE: some nmap tools Hasnain Atique (Dec 08)
- Re: some nmap tools MadHat (Dec 07)
- Re: some nmap tools Bo Cato (Dec 07)
- <Possible follow-ups>
- Re: some nmap tools testic+testic (Dec 07)
- Re: some nmap tools Akbar Ali (Dec 07)
- Re: some nmap tools Tristan Seligmann (Dec 09)
- Re: some nmap tools MadHat (Dec 09)