Re: Scan 3 thousand host consume severals hour

[Michael Hornung <hornung () cac washington edu>]

On Tue, 20 Dec 2005 at 12:44, Andreas Ericsson wrote:

|Ricardo A. Reis wrote:
|> 
|>>I would recommend that you find a better way of narrowing down the machines
|>>you have. For example, can you simply do a list scan of the machines on your
|>>network and then grep/awk for the appropriate entries to place into a hosts
|>>file which you can pass into nmap with -iL ...
|> 
|>  I use also -P0 per XP firewall block icmp, with this scan is more
|> slowly.
|
|OTOH, if you don't send PING and scan 62000 hosts that just aren't there 
|you'll end up sending a minimum of 62000 * 65535 packets that won't ever 
|get a response. Needless to say, this is a big, fat waste of time.

It is a waste of time to use the ping test when the target host is 
actually down.  It is also a waste of time to use the ping test against 
targets (e.g. default XP SP2) that you know will not respond to your ping, 
which happens to be the increasing majority of hosts, at least, in my 
environment.  Given my needs and those considerations, the ping test is 
flawed and is not used.

At my University one of the services we offer includes a weekly scan of 
all devices on the network at the time of the scan.  I found out the hard 
way about various pitfalls associated with scanning several /16s and more, 
hoping a full TCP scan of ~60,000 responsive devices would finish in 24 
hours or less.

One approach I have taken is to use -P0 to skip the ping test.  Instead 
what I do is dump the ARP cache from our routers and then scan only those 
devices that are known to have talked on the network.  Thanks to the 
proliferation of worms and virii attempting to spread all over the place 
there is slim chance that devices of the lowest common denominator will 
not have their IP and MAC in the router's ARP cache when they're on the 
network (i.e. a machine powered on and connected to the network is likely 
going to have talked on the network since the last time the ARP cache was 
cleared).

This approach allows me to scan all those devices I know to be on the 
network at the time of scanning, and no "Is the host up?" test is 
necessary.  This process change alone dramatically increased overall scan 
performance.  Of course mass parallelization and option tweaking have 
helped too.

I still haven't had a chance to deploy 3.96BETA1 (just started testing 
Friday) but Thank You!! Fyodor and Martin for the continued optimization, 
including the new max retransmit option (no more modding scan_engine.cc 
before compiling!), and for the rate limit patch, respectively.  When you 
know you're on a low latency network and have specific expectations of 
network performance, it is very nice to be able to dramatically reduce the 
max number of retransmits (not to mention host timeouts, etc).

_____________________________________________________
 Michael Hornung          Computing & Communications 
 hornung () washington edu   University of Washington


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev