Re: Nmap host timeout inquiry

["ithilgore.ryu.L () gmail com" <ithilgore.ryu.l () gmail com>]

i tested the code with gdb and found out that it actually tracks each host
with its own timer. also i found that in the changelog of nmap:

  Host timeout system (--host_timeout) overhauled to support host
  parallelization.  Hosts times are tracked separately, so a host that
  finishes a SYN scan quickly is not penalized for an exceptionally
  slow host being scanned at the same time.


 From the above i deducted that nmap does indeed track each
host with its own timer and it does all of its scanning in parallel ( 
which means
host1 is scaned at the same time with host2 and so on)
 
However, if the target group is very long (like your network for 
example)  then
there is a limit in how many hosts are scanned at the same time (the network
resources are not abundant anyway ). Consequenty, the
last hosts on the list time out because they are waiting for their turn 
,idle for all this
time, and their timer begins from the momemt nmap began to execute.

I suppose if the above is true, sth could be done so that the idle targets
in a long list have their timer initiated at a later time and not in the 
beginning.

Though to be on the safe side, it would be best to have a dev's opinion 
on this.

ithilgore






Tommy May wrote:
> ithilgore:
>
> Thank you so much for your response.  Again, I am not an experienced developer by any means...
> But I am sort of able to follow the logic in the code that you sent, in relation to the comments provided.
>
> Perhaps hostl is expecting a more specific regex, or other pattern matching format for the vector to work 
> successfully?  (for example a specific IP address 10.0.0.1 versus example range 10.0.0.0-255 or 10.0.0.0/24... 
> depending on how the pattern matching works, it could miss a match somewhere?)
>
> Again... I am no developer here, so please forgive the ignorance.
>
> If anyone else has some insight I would greatly apprecite it as well.
>
> Thanks,
> Tommy
>
>
>  -------------- Original message ----------------------
> From: "ithilgore.ryu.L () gmail com" <ithilgore.ryu.l () gmail com>
>   
> > Tommy May wrote:
> >     
> > > Hello Nmap Folk:
> > >
> > > I am not an experienced developer, so please excuse my lack of knowledge on 
> > >       
> > the inner 
> >     
> > > mechanics.
> > >
> > > I have been trying to optimize nmap scans for host discovery and find that the 
> > > built in T4 option works awesome (after having played with all of the 
> > > customizable "rtt" options)... but I also would like to add the --host-timeout 
> > > parameter to speed up scans a little.
> > >
> > > details:
> > >
> > > I am using an input file (-iL) with entire /24 networks 
> > >
> > >  - default "nmap -sTU -T4 -P0" on a reasonably fast /24 netblock with stateful 
> > > firewall ruleset takes roughly 15 hours to complete, but its the most accurate 
> > > results I have been able to produce (measure - all hosts that are truly up, 
> > > result in the output file).
> > >
> > > - I have been able to complete a scan on the same network with "nmap -sTU -T4 
> > > -P0 --host-timeout 120m" in roughly 6 hours... but I notice that the second 
> > >       
> > half 
> >     
> > > of the netblock all times out... 
> > >
> > > This leads me to suspect that the "--host-timeout" parameter may apply to all 
> > >       
> > of the targets that you specifiy in the 
> >     
> > > input list, rather than just IP by IP?  This could explain why half of the 
> > >       
> > IP's 
> >     
> > > in the netblock timed out, when no timeout parameter catches all of the IP 
> > > addresses in the netblock.
> > >
> > > Are my suspicions correct or am I just shooting in the dark?  I would suppose 
> > > that I would have to do a separate IP by IP scan to allow the --host-timeout 
> > > parameter to work per IP?
> > >
> > > Any insight you may have as to how this parameter works in this way would be 
> > > greatly appreciated, and will better help me to discover the optimal settings.
> > >
> > > Sincerely,
> > > Tommy May
> > >
> > > _______________________________________________
> > > Sent through the nmap-dev mailing list
> > > http://cgi.insecure.org/mailman/listinfo/nmap-dev
> > > Archived at http://SecLists.Org
> > >   
> > >       
> > I actually noticed the behaviour u described, too.
> > Though i think the original intent was to have a host-timeout by each ip
> > as i figured out from the code:
> >
> > /* Start the timeout clocks of any targets that aren't already timedout */
> > static void startTimeOutClocks(vector<Target *> &Targets) {
> > struct timeval tv;
> > vector<Target *>::iterator hostI;
> >
> > gettimeofday(&tv, NULL);
> > for(hostI = Targets.begin(); hostI != Targets.end(); hostI++) {
> > if (!(*hostI)->timedOut(NULL))
> > (*hostI)->startTimeOutClock(&tv);
> > }
> > }
> >
> > since it uses a vector and each target has its own timeout.
> >
> > But what actually happens is what u described.
> > I reproduced it just now.
> > After specifying a host-timeout and scanning more than 1 host
> > then if the 1st host timeouts all of the rest timeout instantly.
> >
> > $nmap --host-timeout 15000 host1.com host2.com -P0
> > ....
> > ....
> > Connect Scan Timing: About 15.20% done; ETC: 14:19 (0:01:13 remaining)
> > xxx.xxx.xxx.xx1 timed out during Connect Scan (1 host left)
> > xxx.xxx.xxx.xx2 timed out during Connect Scan (0 hosts left)
> > Completed Connect Scan at 14:18, 15.11s elapsed (2 hosts timed out)
> > Host host1.com (xxx.xxx.xxx.xx1) appears to be up ... good.
> > Skipping host host1.com (xxx.xxx.xxx.xx1) due to host timeout
> >
> > Host host2.com (xxx.xxx.xxx.xx2) appears to be up ... good.
> > Skipping host host2.com (xxx.xxx.xxx.xx2) due to host timeout
> >
> >
> > I think Fyodor will know better as to what exactly happens or if this is 
> > actually a bug.
> >
> > ithilgore
> >
> >
> >
> >
> >
> >     
>
>   


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org