Nmap Development mailing list archives
Re: New option: --min-rate for minimum-rate scanning
From: David Fifield <david () bamsoftware com>
Date: Thu, 3 Apr 2008 08:46:44 -0600
On Thu, Apr 03, 2008 at 11:14:19AM -0300, eldraco wrote:
Hi list, I was trying --min-rate parameter, so here are my results... First of all, the "Overall sending rates" are not written in the output file, if we can have them there it would be wonderful!
I'm not sure about that. The overall sending rate figure is misleading, because it includes time when Nmap has nothing to do, like at the end of the scan while it's waiting for probes to time out. That's why I relegated it to a debugging option. It may cause too many problems to print a misleading number. I'm open to UI suggestions for way to fix this.
1- Test one: Standard Nmap nmap -sS -F -n -v xx.xx.xx.xx -oN test1-normal -d Overall sending rates: 158.87 packets / s, 6990.42 bytes / s. 1 IP address (1 host up) scanned in 8.545 seconds Note: No open ports missed 2 - Test two: nmap with --max-retries 0 nmap -sS -F -n -v xx.xx.xx.xx -oN test1-normal-max-retries-0 -d --max-retries 0 Overall sending rates: 324.29 packets / s, 14268.56 bytes / s. 1 IP address (1 host up) scanned in 4.081 seconds Note: Two open ports missed 3- Test three: With --min-rate 500 alone nmap -sS -F -n -v xx.xx.xx.xx -oN test3-min-rate-500 -d --min-rate 500 Overall sending rates: 478.74 packets / s, 21064.44 bytes / s. 1 IP address (1 host up) scanned in 5.117 seconds Note: No ports missed
Here's an example of what I'm talking about. You asked for a rate of 500, but Nmap prints a rate of 478.74. There was probably 200 ms of idle time at the end of the scan. 200 ms may not seem like a lot, but it's roughly 4% of the total time, so we expect the rate of 500 to drop by about 4%.
4- With --min-rate 500 and --max-retries 0 nmap -sS -F -n -v xx.xx.xx.xx -oN test3-min-rate-500 -d --min-rate 500 --max-retries 0 Overall sending rates: 497.00 packets / s, 21868.05 bytes / s. 1 IP address (1 host up) scanned in 2.705 seconds Note: 3 open ports missed. Sometimes six ports missed, sometimes five. 4- With --min-rate 1000 nmap -sS -F -n -v xx.xx.xx.xx -oN test3-min-rate-1000 -d --min-rate 1000 Overall sending rates: 866.24 packets / s, 38114.44 bytes / s. Nmap done: 1 IP address (1 host up) scanned in 4.909 seconds Note: No ports missed 5- With --min-rate 1000 with --max-retries 0 nmap -sS -F -n -v xx.xx.xx.xx -oN test3-min-rate-1000--max-retries0 -d --min-rate 1000 --max-retries 0 Overall sending rates: 841.68 packets / s, 37033.96 bytes / s. 1 IP address (1 host up) scanned in 1.654 seconds Note: 7 ports missed. Sometimes 6 6- With --min-rate 10000 nmap -sS -F -n -v xx.xx.xx.xx -oN test3-min-rate-10000 -d --min-rate 10000 Overall sending rates: 2162.30 packets / s, 95141.17 bytes / s. 1 IP address (1 host up) scanned in 4.068 seconds Note: 4 ports missed! first time I've got missed ports without --max-retries 0. Sometimes just two ports missed 7- With --min-rate 100000 nmap -sS -F -n -v xx.xx.xx.xx -oN test3-min-rate-100000 -d --min-rate 100000 Overall sending rates: 2126.00 packets / s, 93543.92 bytes / s. 1 IP address (1 host up) scanned in 4.085 seconds Note: 2 ports missed!
Here you see the danger of specifying a minimum rate. Nmap usually does a really good job of finding a fast rate that won't drop probes, as shown in your first two scan times of 8.545 and 4.081 seconds. If you try to go faster you're likely to lose accuracy. You've also shown that a higher packet sending rate doesn't always mean a faster scan. Your --min-rate 1000 scan finished only marginally sooner than your --min-rate 500 scan, even though it sent packets almost twice as fast. The reason is that you're sending so fast that the network is dropping probes, so Nmap sends more retransmissions to compensate. The only way to get anything close to a time guarantee is by capping the maximum number of retries (doesn't have to be 0).
Note that despite using --max-retries 100000, I can't send faster than 2100 or so packets/s. This is because of my slow internet connection I guess!. My real download speed is something like 600kbps and my real upload speed is something like 150kbps
That's how it's supposed to work. It takes a certain amount of time to push a packet onto the wire, and you can only do that so many times per second. At really high packet rates the scan can slow down unreasonably because of some scan engine inefficiencies, which we're still working on. Thanks for testing! David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Re: New option: --min-rate for minimum-rate scanning eldraco (Apr 02)
- <Possible follow-ups>
- Re: New option: --min-rate for minimum-rate scanning eldraco (Apr 03)
- Re: New option: --min-rate for minimum-rate scanning David Fifield (Apr 03)