Nmap Development mailing list archives

Re: [CAPS] Re: Desired improvements in Nmap performance? [SCAN BUDDIES]

From: Brandon Enright <bmenrigh () ucsd edu>
Date: Tue, 2 Dec 2008 23:36:22 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 2 Dec 2008 16:28:37 -0700
David Fifield <david () bamsoftware com> wrote:

...snip...

What's happening is that the one totally filtered host has never sent
a reply, so we have no idea what its RTT is. Nmap uses the default of
one second, which is pretty slow. But the scan buddy provides a
global RTT estimate, which Nmap will use when a host doesn't have its
own estimate (HostScanStats::probeTimeout in scan_engine.cc). The
approximation is justified in this case as the two hosts are likely
to have near-identical RTTs. So the unanswered probes time out much
more quickly and the scan goes fast.

If you scan the filtered host with --initial-rtt-timeout 50 does the
scan go as fast as with the buddy?


Well, much faster but not as fast as with the buddy.  No buddy, no
- --initial-rtt-timeout:

$ sudo ./nmap --datadir ./ -p- -T5 -v -d -PN -n 132.239.7.132

Starting Nmap 4.76 ( http://nmap.org ) at 2008-12-02 23:34 GMT
- --------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 250, min 50, max 300
  max-scan-delay: TCP 5, UDP 1000
  parallelism: min 0, max 0
  max-retries: 2, host-timeout: 900000
  min-rate: 0, max-rate: 0
- ---------------------------------------------
Initiating SYN Stealth Scan at 23:34
Scanning 132.239.7.132 [65535 ports]
Packet capture filter (device eth0): dst host 132.239.1.114 and (icmp or ((tcp or udp) and (src host 132.239.7.132)))
Stats: 0:00:01 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.00% done
Current sending rates: 3.18 packets / s, 116.64 bytes / s.
Stats: 0:00:02 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.01% done
Current sending rates: 5.30 packets / s, 209.78 bytes / s.
Stats: 0:00:03 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.02% done
Current sending rates: 6.11 packets / s, 249.65 bytes / s.
Stats: 0:00:04 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.02% done
Current sending rates: 6.54 packets / s, 271.79 bytes / s.
Stats: 0:00:05 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.03% done
Current sending rates: 6.81 packets / s, 284.56 bytes / s.

...killed...


Now with the --initial-rtt-timeout:

$ sudo ./nmap --datadir ./ -p- -T5 -v -d -PN -n --initial-rtt-timeout 50 132.239.7.132

Starting Nmap 4.76 ( http://nmap.org ) at 2008-12-02 23:35 GMT
- --------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 50, min 50, max 300
  max-scan-delay: TCP 5, UDP 1000
  parallelism: min 0, max 0
  max-retries: 2, host-timeout: 900000
  min-rate: 0, max-rate: 0
- ---------------------------------------------
Initiating SYN Stealth Scan at 23:35
Scanning 132.239.7.132 [65535 ports]
Packet capture filter (device eth0): dst host 132.239.1.114 and (icmp or ((tcp or udp) and (src host 132.239.7.132)))
Stats: 0:00:01 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.02% done
Current sending rates: 17.96 packets / s, 768.54 bytes / s.
Stats: 0:00:03 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.06% done
Current sending rates: 26.26 packets / s, 1135.67 bytes / s.
Stats: 0:00:04 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.09% done
Current sending rates: 29.42 packets / s, 1278.75 bytes / s.
Stats: 0:00:05 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.12% done
Current sending rates: 31.14 packets / s, 1356.08 bytes / s.
Stats: 0:00:06 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.15% done
Current sending rates: 32.69 packets / s, 1424.19 bytes / s.
Stats: 0:00:07 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.18% done
Current sending rates: 33.81 packets / s, 1472.89 bytes / s.


Of course, the buddy was *much* faster than this.

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkk1xnwACgkQqaGPzAsl94KLFQCgnNWRdldA0mf7n3kGTPOBCVg1
xJQAnji0sTdbj4fVmJ/y8dhNGcnUUkVe
=g3QF
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

Desired improvements in Nmap performance? David Fifield (Nov 30)
- Re: Desired improvements in Nmap performance? sara fink (Dec 01)
- Re: Desired improvements in Nmap performance? DePriest, Jason R. (Dec 01)
- Re: Desired improvements in Nmap performance? Brandon Enright (Dec 02)
  - Re: Desired improvements in Nmap performance? [SCAN BUDDIES] Brandon Enright (Dec 02)
    - Re: Desired improvements in Nmap performance? [SCAN BUDDIES] David Fifield (Dec 02)
    - Re: [CAPS] Re: Desired improvements in Nmap performance? [SCAN BUDDIES] Brandon Enright (Dec 02)
    - Re: [CAPS] Re: Desired improvements in Nmap performance? [SCAN BUDDIES] David Fifield (Dec 02)
    - Re: Desired improvements in Nmap performance? [SCAN BUDDIES] Brandon Enright (Dec 02)
  - Re: Desired improvements in Nmap performance? [FASTER IS SLOWER] Brandon Enright (Dec 02)
    - Re: Desired improvements in Nmap performance? [FASTER IS SLOWER] David Fifield (Dec 02)
- Nmap performance work update David Fifield (Dec 08)
- <Possible follow-ups>
- Re: Desired improvements in Nmap performance? Rob Nicholls (Dec 01)
  - Re: Desired improvements in Nmap performance? sara fink (Dec 01)