Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE][PATCH] initialize NSE sockets based on timing_level

From: Fyodor <fyodor () insecure org>
Date: Wed, 17 Sep 2008 02:14:28 -0700
On Wed, Sep 17, 2008 at 10:28:46AM +0200, Sven Klemm wrote:

Hi everyone,

currently all NSE sockets get initialized with a 30 second timeout. A 
lot of scripts override this with a static value while the DNS and 
HTTP library override based on nmap.timing_level(). The attached patch 
 initializes all NSE sockets with a value based on nmap.timing_level().
The values used are 60s,30s,15s,10s,5s,3s.


Hi Sven.  Thanks for the patch, but I'm concerned about this trend in
general because I don't think we want every timing-related Nmap value
to vary based on Timing Template.  Only the most important ones, since
we should only add this extra complexity where it makes a bid
difference in scan speed.  The first goal is to find a number which
works well in all cases.  If such a value can't be found, and the
value is a very important one in determining scan times, then varying
it based on timing templates can be considered.

Maybe the socket timeout values are important enough to warrant this.
But before applying anything like this, we need to see the examples of
where the curent values are failing (e.g. what scripts are too slow,
or so fast that they lose accuracy) and then the proposed new values
need to be supported by empirical data or at least some sort of
explanation as to where they came from.  I think the range of 3s to
60s is probably way too much.  I thought the new DNS timing range was
way too much too, and so I reduced that.

I think that time spent finding a good default is often more useful
than defining a huge range based on -T values.

So while changing the default socket timeouts may be worthwhile, I
think applying a patch at this point would be premature.  OTOH, the
patch might spark a good discussion on improving the default timeouts.

Cheers,
-F

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: