Nmap Development mailing list archives
Re: Nmap host timeout inquiry
From: "ithilgore.ryu.L () gmail com" <ithilgore.ryu.l () gmail com>
Date: Sun, 27 Jan 2008 04:39:32 -0800
i tested the code with gdb and found out that it actually tracks each host with its own timer. also i found that in the changelog of nmap: Host timeout system (--host_timeout) overhauled to support host parallelization. Hosts times are tracked separately, so a host that finishes a SYN scan quickly is not penalized for an exceptionally slow host being scanned at the same time. From the above i deducted that nmap does indeed track each host with its own timer and it does all of its scanning in parallel ( which means host1 is scaned at the same time with host2 and so on) However, if the target group is very long (like your network for example) then there is a limit in how many hosts are scanned at the same time (the network resources are not abundant anyway ). Consequenty, the last hosts on the list time out because they are waiting for their turn ,idle for all this time, and their timer begins from the momemt nmap began to execute. I suppose if the above is true, sth could be done so that the idle targets in a long list have their timer initiated at a later time and not in the beginning. Though to be on the safe side, it would be best to have a dev's opinion on this. ithilgore Tommy May wrote:
ithilgore: Thank you so much for your response. Again, I am not an experienced developer by any means... But I am sort of able to follow the logic in the code that you sent, in relation to the comments provided. Perhaps hostl is expecting a more specific regex, or other pattern matching format for the vector to work successfully? (for example a specific IP address 10.0.0.1 versus example range 10.0.0.0-255 or 10.0.0.0/24... depending on how the pattern matching works, it could miss a match somewhere?) Again... I am no developer here, so please forgive the ignorance. If anyone else has some insight I would greatly apprecite it as well. Thanks, Tommy -------------- Original message ---------------------- From: "ithilgore.ryu.L () gmail com" <ithilgore.ryu.l () gmail com>Tommy May wrote:Hello Nmap Folk: I am not an experienced developer, so please excuse my lack of knowledge onthe innermechanics. I have been trying to optimize nmap scans for host discovery and find that the built in T4 option works awesome (after having played with all of the customizable "rtt" options)... but I also would like to add the --host-timeout parameter to speed up scans a little. details: I am using an input file (-iL) with entire /24 networks - default "nmap -sTU -T4 -P0" on a reasonably fast /24 netblock with stateful firewall ruleset takes roughly 15 hours to complete, but its the most accurate results I have been able to produce (measure - all hosts that are truly up, result in the output file). - I have been able to complete a scan on the same network with "nmap -sTU -T4 -P0 --host-timeout 120m" in roughly 6 hours... but I notice that the secondhalfof the netblock all times out... This leads me to suspect that the "--host-timeout" parameter may apply to allof the targets that you specifiy in theinput list, rather than just IP by IP? This could explain why half of theIP'sin the netblock timed out, when no timeout parameter catches all of the IP addresses in the netblock. Are my suspicions correct or am I just shooting in the dark? I would suppose that I would have to do a separate IP by IP scan to allow the --host-timeout parameter to work per IP? Any insight you may have as to how this parameter works in this way would be greatly appreciated, and will better help me to discover the optimal settings. Sincerely, Tommy May _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.OrgI actually noticed the behaviour u described, too. Though i think the original intent was to have a host-timeout by each ip as i figured out from the code: /* Start the timeout clocks of any targets that aren't already timedout */ static void startTimeOutClocks(vector<Target *> &Targets) { struct timeval tv; vector<Target *>::iterator hostI; gettimeofday(&tv, NULL); for(hostI = Targets.begin(); hostI != Targets.end(); hostI++) { if (!(*hostI)->timedOut(NULL)) (*hostI)->startTimeOutClock(&tv); } } since it uses a vector and each target has its own timeout. But what actually happens is what u described. I reproduced it just now. After specifying a host-timeout and scanning more than 1 host then if the 1st host timeouts all of the rest timeout instantly. $nmap --host-timeout 15000 host1.com host2.com -P0 .... .... Connect Scan Timing: About 15.20% done; ETC: 14:19 (0:01:13 remaining) xxx.xxx.xxx.xx1 timed out during Connect Scan (1 host left) xxx.xxx.xxx.xx2 timed out during Connect Scan (0 hosts left) Completed Connect Scan at 14:18, 15.11s elapsed (2 hosts timed out) Host host1.com (xxx.xxx.xxx.xx1) appears to be up ... good. Skipping host host1.com (xxx.xxx.xxx.xx1) due to host timeout Host host2.com (xxx.xxx.xxx.xx2) appears to be up ... good. Skipping host host2.com (xxx.xxx.xxx.xx2) due to host timeout I think Fyodor will know better as to what exactly happens or if this is actually a bug. ithilgore
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Nmap host timeout inquiry Tommy May (Jan 09)
- Re: Nmap host timeout inquiry ithilgore.ryu.L () gmail com (Jan 24)
- <Possible follow-ups>
- Re: Nmap host timeout inquiry Tommy May (Jan 24)
- Re: Nmap host timeout inquiry ithilgore.ryu.L () gmail com (Jan 26)