RE: Performance Tuning NMAP

["Pritchard, Adam (IDS EUC EMEA)" <adam_pritchard () ml com>]

Hi Bill,

I have recently been working on a scanning service for my company. The
objective was to create a system that can successfully identify every
host on two class B networks (131,072 IPs). I have managed to scan all
of these IPs and identify them in ~18 hours using a single instance of
nmap on standard workstation hardware.

I managed to improve the scan times by performing a multi-threaded ping
sweep and entering only live hosts into a text file which is used for
nmap's input list (-iL).

The whole process looks like this in my log file:

[21/12/2004 15:19:13] Commencing scan on subnet xxx.xxx.xxx.0/24 to find
live hosts
[21/12/2004 15:19:23] Written Nmap scan range(s) for 118 hosts from
subnet xxx.xxx.xxx.0/24
[21/12/2004 15:19:23] Starting Nmap run, saving results to
nmap_results.log
[21/12/2004 15:21:23] Nmap run completed in 00:02:00.39
[21/12/2004 15:21:25] Imported Nmap grep results from nmap_results.log
[21/12/2004 15:21:25] Commencing multi-threaded post checks
[21/12/2004 15:21:48] Completed post checks on 118 hosts in 00:00:23.20
[21/12/2004 15:21:51] Integrated scan results with master database

A whole class C network is scanned in just over two and a half minutes.

I have not looked into running multiple instances of nmap because I do
not wish to place unnecessarily large loads on the network and
particularly the subnet I am running the scan from.

Regards,
Adam

-----Original Message-----
From: Bill Petersen [mailto:bill.petersen () alcatel com] 
Sent: 17 December 2004 16:18
To: nmap-dev () insecure org
Subject: Performance Tuning NMAP


Hello,
A project I am working on will require me to scan over 1 million IPs 
monthly (yes, all owned by my company). I have acquired a dual Xeon 3GHz

system with 4GB of RAM for the job.  I plan to turn on -sV and -O to get

version and OS information in addition to 'is the machine up' and 
general port information. It will be running Fedora Core 3.

My questions are:
1. How would you tune this system for the task?
2. What options would you turn on / off at compile time?
3. How would you tune nmap at run time for the task?

In the past, threads within nmap have not helped me much.  I have 
actually used a perl script to help me maximize the throughput by 
running up to 190 concurrent nmaps (on a similarly configured machine).

I'd like to get away from that and have nmap take over the task.  Any 
suggestions?

Thanks for your input.

Regards,
Bill

-- 

Bill Petersen, CISSP
Senior Information Security Analyst
North American Information Security Group
Alcatel USA, Plano, Texas
972-519-4249 Voice
972-519-4830 FAX
Bill.Petersen () alcatel com 
--------------------------------------------------------
 
If you are not an intended recipient of this e-mail, please notify the sender, delete it and do not read, act upon, 
print, disclose, copy, retain or redistribute it. Click here for important additional terms relating to this e-mail.    
 http://www.ml.com/email_terms/ 
--------------------------------------------------------
 

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to
nmap-dev-help () insecure org . List archive: http://seclists.org