Nmap Development mailing list archives
Re: Scan 3 thousand host consume severals hour
From: Michael Hornung <hornung () cac washington edu>
Date: Sat, 7 Jan 2006 13:43:45 -0800 (PST)
On Tue, 20 Dec 2005 at 12:44, Andreas Ericsson wrote: |Ricardo A. Reis wrote: |> |>>I would recommend that you find a better way of narrowing down the machines |>>you have. For example, can you simply do a list scan of the machines on your |>>network and then grep/awk for the appropriate entries to place into a hosts |>>file which you can pass into nmap with -iL ... |> |> I use also -P0 per XP firewall block icmp, with this scan is more |> slowly. | |OTOH, if you don't send PING and scan 62000 hosts that just aren't there |you'll end up sending a minimum of 62000 * 65535 packets that won't ever |get a response. Needless to say, this is a big, fat waste of time. It is a waste of time to use the ping test when the target host is actually down. It is also a waste of time to use the ping test against targets (e.g. default XP SP2) that you know will not respond to your ping, which happens to be the increasing majority of hosts, at least, in my environment. Given my needs and those considerations, the ping test is flawed and is not used. At my University one of the services we offer includes a weekly scan of all devices on the network at the time of the scan. I found out the hard way about various pitfalls associated with scanning several /16s and more, hoping a full TCP scan of ~60,000 responsive devices would finish in 24 hours or less. One approach I have taken is to use -P0 to skip the ping test. Instead what I do is dump the ARP cache from our routers and then scan only those devices that are known to have talked on the network. Thanks to the proliferation of worms and virii attempting to spread all over the place there is slim chance that devices of the lowest common denominator will not have their IP and MAC in the router's ARP cache when they're on the network (i.e. a machine powered on and connected to the network is likely going to have talked on the network since the last time the ARP cache was cleared). This approach allows me to scan all those devices I know to be on the network at the time of scanning, and no "Is the host up?" test is necessary. This process change alone dramatically increased overall scan performance. Of course mass parallelization and option tweaking have helped too. I still haven't had a chance to deploy 3.96BETA1 (just started testing Friday) but Thank You!! Fyodor and Martin for the continued optimization, including the new max retransmit option (no more modding scan_engine.cc before compiling!), and for the rate limit patch, respectively. When you know you're on a low latency network and have specific expectations of network performance, it is very nice to be able to dramatically reduce the max number of retransmits (not to mention host timeouts, etc). _____________________________________________________ Michael Hornung Computing & Communications hornung () washington edu University of Washington _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- Re: Scan 3 thousand host consume severals hour Michael Hornung (Jan 07)
- Re: Scan 3 thousand host consume severals hour Arturo 'Buanzo' Busleiman (Jan 07)