Re: New option: --min-rate for minimum-rate scanning

[David Fifield <david () bamsoftware com>]

On Thu, Apr 03, 2008 at 11:14:19AM -0300, eldraco wrote:
> Hi list, I was trying --min-rate parameter, so here are my results...
>
> First of all, the "Overall sending rates" are not written in the output file, 
> if we can have them there it would be wonderful!

I'm not sure about that. The overall sending rate figure is misleading,
because it includes time when Nmap has nothing to do, like at the end of
the scan while it's waiting for probes to time out. That's why I
relegated it to a debugging option. It may cause too many problems to
print a misleading number. I'm open to UI suggestions for way to fix
this.

> 1- Test one: Standard Nmap
> nmap -sS -F -n -v xx.xx.xx.xx -oN test1-normal -d
> Overall sending rates: 158.87 packets / s, 6990.42 bytes / s.
> 1 IP address (1 host up) scanned in 8.545 seconds
> Note: No open ports missed
>
> 2 - Test two: nmap with --max-retries 0
> nmap -sS -F -n -v xx.xx.xx.xx -oN test1-normal-max-retries-0 -d --max-retries 0
> Overall sending rates: 324.29 packets / s, 14268.56 bytes / s.
> 1 IP address (1 host up) scanned in 4.081 seconds
> Note: Two open ports missed
>
> 3- Test three: With --min-rate 500 alone
> nmap -sS -F -n -v xx.xx.xx.xx -oN test3-min-rate-500 -d --min-rate 500
> Overall sending rates: 478.74 packets / s, 21064.44 bytes / s.
> 1 IP address (1 host up) scanned in 5.117 seconds
> Note: No ports missed

Here's an example of what I'm talking about. You asked for a rate of
500, but Nmap prints a rate of 478.74. There was probably 200 ms of idle
time at the end of the scan. 200 ms may not seem like a lot, but it's
roughly 4% of the total time, so we expect the rate of 500 to drop by
about 4%.

> 4- With --min-rate 500 and --max-retries 0
> nmap -sS -F -n -v xx.xx.xx.xx -oN test3-min-rate-500 -d --min-rate 500 --max-retries 0
> Overall sending rates: 497.00 packets / s, 21868.05 bytes / s.
> 1 IP address (1 host up) scanned in 2.705 seconds
> Note: 3 open ports missed. Sometimes six ports missed, sometimes five.
>
> 4- With --min-rate 1000
> nmap -sS -F -n -v xx.xx.xx.xx -oN test3-min-rate-1000 -d --min-rate 1000
> Overall sending rates: 866.24 packets / s, 38114.44 bytes / s.
> Nmap done: 1 IP address (1 host up) scanned in 4.909 seconds
> Note: No ports missed
>
> 5- With --min-rate 1000 with --max-retries 0
> nmap -sS -F -n -v xx.xx.xx.xx -oN test3-min-rate-1000--max-retries0 -d --min-rate 1000 --max-retries 0
> Overall sending rates: 841.68 packets / s, 37033.96 bytes / s.
> 1 IP address (1 host up) scanned in 1.654 seconds
> Note: 7 ports missed. Sometimes 6
>
> 6- With --min-rate 10000
> nmap -sS -F -n -v xx.xx.xx.xx -oN test3-min-rate-10000 -d --min-rate 10000
> Overall sending rates: 2162.30 packets / s, 95141.17 bytes / s.
> 1 IP address (1 host up) scanned in 4.068 seconds
> Note: 4 ports missed! first time I've got missed ports without --max-retries 
> 0. Sometimes just two ports missed
>
> 7- With --min-rate 100000
> nmap -sS -F -n -v xx.xx.xx.xx -oN test3-min-rate-100000 -d --min-rate 100000
> Overall sending rates: 2126.00 packets / s, 93543.92 bytes / s.
> 1 IP address (1 host up) scanned in 4.085 seconds
> Note: 2 ports missed!

Here you see the danger of specifying a minimum rate. Nmap usually does
a really good job of finding a fast rate that won't drop probes, as
shown in your first two scan times of 8.545 and 4.081 seconds. If you
try to go faster you're likely to lose accuracy.

You've also shown that a higher packet sending rate doesn't always mean
a faster scan. Your --min-rate 1000 scan finished only marginally sooner
than your --min-rate 500 scan, even though it sent packets almost twice
as fast. The reason is that you're sending so fast that the network is
dropping probes, so Nmap sends more retransmissions to compensate. The
only way to get anything close to a time guarantee is by capping the
maximum number of retries (doesn't have to be 0).

> Note that despite using --max-retries 100000, I can't send faster than
> 2100 or so packets/s. This is because of my slow internet connection I
> guess!. My real download speed is something like 600kbps and my real
> upload speed is something like 150kbps

That's how it's supposed to work. It takes a certain amount of time to
push a packet onto the wire, and you can only do that so many times per
second. At really high packet rates the scan can slow down unreasonably
because of some scan engine inefficiencies, which we're still working
on.

Thanks for testing!

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org