Nmap Development mailing list archives
Re: Qscan in NSE: qscan.nse
From: David Fifield <david () bamsoftware com>
Date: Wed, 21 Apr 2010 18:09:19 -0600
On Thu, Apr 15, 2010 at 12:57:27AM +0000, Brandon Enright wrote:
I decided to test my idea of probing faster. My results are very promising. I tested the following way. First I sent 10 packets at 1pps to an open port, roughly like qscan. I then sent 100 packets at 10pps which takes the same amount of time. I then sent 100 packets at 100pps for 10x time savings. First, I did scanme.insecure.org on port 80. Here are those results:
Here are my results with NAT, interleaved with yours.
$ time sudo hping scanme.insecure.org -p 80 -S -i 1 -c 10 2>&1 | egrep 'len=.*rtt' | sed -r 's/^.*rtt=([0-9.]+).*$/\1/g' | ./conf_int.pl N: 10.0000 Min: 13.5000 Max: 13.9000 Avg: 13.6600 Sum: 136.6000 Var: 0.0249 StdDev: 0.1578 95% confidence interval for mean: [13.0402, 14.2798] real 0m9.026s user 0m0.009s sys 0m0.006s
# time /usr/sbin/hping scanme.insecure.org -p 80 -S -i 1 -c 10 2>&1 | egrep 'len=.*rtt' | sed -r 's/^.*rtt=([0-9.]+).*$/\1/g' | ./conf_int.pl N: 10.0000 Min: 66.3000 Max: 114.0000 Avg: 75.4500 Sum: 754.5000 Var: 304.5783 StdDev: 17.4522 95% confidence interval for mean: [74.8302, 76.0698] real 0m9.259s user 0m0.062s sys 0m0.020s
$ time sudo hping scanme.insecure.org -p 80 -S -i u100000 -c 100 2>&1 | egrep 'len=.*rtt' | sed -r 's/^.*rtt=([0-9.]+).*$/\1/g' | ./conf_int.pl N: 99.0000 Min: 13.3000 Max: 14.1000 Avg: 13.6596 Sum: 1352.3000 Var: 0.0249 StdDev: 0.1577 95% confidence interval for mean: [13.4626, 13.8566] real 0m9.932s user 0m0.011s sys 0m0.010s
# time /usr/sbin/hping scanme.insecure.org -p 80 -S -i u100000 -c 100 2>&1 | egrep 'len=.*rtt' | sed -r 's/^.*rtt=([0-9.]+).*$/\1/g' | ./conf_int.pl N: 99.0000 Min: 66.0000 Max: 122.1000 Avg: 69.4273 Sum: 6873.3000 Var: 78.6347 StdDev: 8.8676 95% confidence interval for mean: [69.2303, 69.6243] real 0m10.258s user 0m0.141s sys 0m0.023s
$ time sudo hping scanme.insecure.org -p 80 -S -i u10000 -c 100 2>&1 | egrep 'len=.*rtt' | sed -r 's/^.*rtt=([0-9.]+).*$/\1/g' | ./conf_int.pl N: 99.0000 Min: 13.3000 Max: 15.7000 Avg: 13.6707 Sum: 1353.4000 Var: 0.0674 StdDev: 0.2596 95% confidence interval for mean: [13.4737, 13.8677] real 0m1.022s user 0m0.007s sys 0m0.014s
# time /usr/sbin/hping scanme.insecure.org -p 80 -S -i u10000 -c 100 2>&1 | egrep 'len=.*rtt' | sed -r 's/^.*rtt=([0-9.]+).*$/\1/g' | ./conf_int.pl N: 99.0000 Min: 66.0000 Max: 134.3000 Avg: 72.4970 Sum: 7177.2000 Var: 191.7989 StdDev: 13.8491 95% confidence interval for mean: [72.3000, 72.6940] real 0m1.358s user 0m0.139s sys 0m0.018s
As you can see, increasing the probes from 10 to 100 improves the confidence interval much more than sending fast hurts it. Then I tried a host witch MUCH higher latency (baidu.cn): $ time sudo hping 61.135.163.94 -p 80 -S -i 1 -c 10 2>&1 | egrep 'len=.*rtt' | sed -r 's/^.*rtt=([0-9.]+).*$/\1/g' | ./conf_int.pl N: 10.0000 Min: 210.6000 Max: 211.6000 Avg: 210.9600 Sum: 2109.6000 Var: 0.0804 StdDev: 0.2836 95% confidence interval for mean: [210.3402, 211.5798] real 0m9.223s user 0m0.004s sys 0m0.011s
# time /usr/sbin/hping 61.135.163.94 -p 80 -S -i 1 -c 10 2>&1 | egrep 'len=.*rtt' | sed -r 's/^.*rtt=([0-9.]+).*$/\1/g' | ./conf_int.pl N: 10.0000 Min: 290.8000 Max: 318.3000 Avg: 294.5500 Sum: 2945.5000 Var: 70.7850 StdDev: 8.4134 95% confidence interval for mean: [293.9302, 295.1698] real 0m9.382s user 0m0.059s sys 0m0.023s
$ time sudo hping 61.135.163.94 -p 80 -S -i u100000 -c 100 2>&1 | egrep 'len=.*rtt' | sed -r 's/^.*rtt=([0-9.]+).*$/\1/g' | ./conf_int.pl N: 99.0000 Min: 210.7000 Max: 213.2000 Avg: 211.0596 Sum: 20894.9000 Var: 0.1398 StdDev: 0.3739 95% confidence interval for mean: [210.8626, 211.2566] real 0m10.128s user 0m0.010s sys 0m0.015s
# time /usr/sbin/hping 61.135.163.94 -p 80 -S -i u100000 -c 100 2>&1 | egrep 'len=.*rtt' | sed -r 's/^.*rtt=([0-9.]+).*$/\1/g' | ./conf_int.pl N: 99.0000 Min: 289.8000 Max: 350.1000 Avg: 294.3960 Sum: 29145.2000 Var: 104.3784 StdDev: 10.2166 95% confidence interval for mean: [294.1990, 294.5929] real 0m10.388s user 0m0.141s sys 0m0.026s
$ time sudo hping 61.135.163.94 -p 80 -S -i u10000 -c 100 2>&1 | egrep 'len=.*rtt' | sed -r 's/^.*rtt=([0-9.]+).*$/\1/g' | ./conf_int.pl N: 99.0000 Min: 210.6000 Max: 211.4000 Avg: 210.9960 Sum: 20888.6000 Var: 0.0322 StdDev: 0.1795 95% confidence interval for mean: [210.7990, 211.1929] real 0m1.218s user 0m0.005s sys 0m0.014s
# time /usr/sbin/hping 61.135.163.94 -p 80 -S -i u10000 -c 100 2>&1 | egrep 'len=.*rtt' | sed -r 's/^.*rtt=([0-9.]+).*$/\1/g' | ./conf_int.pl N: 99.0000 Min: 289.5000 Max: 326.3000 Avg: 294.2455 Sum: 29130.3000 Var: 58.5056 StdDev: 7.6489 95% confidence interval for mean: [294.0485, 294.4424] real 0m1.467s user 0m0.133s sys 0m0.022s David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Qscan in NSE: qscan.nse Ron (Apr 08)
- Re: Qscan in NSE: qscan.nse Brandon Enright (Apr 08)
- Re: Qscan in NSE: qscan.nse Kris Katterjohn (Apr 08)
- Re: Qscan in NSE: qscan.nse Ron (Apr 08)
- Re: Qscan in NSE: qscan.nse Brandon Enright (Apr 08)
- Re: Qscan in NSE: qscan.nse Brandon Enright (Apr 08)
- Re: Qscan in NSE: qscan.nse Brandon Enright (Apr 14)
- Re: Qscan in NSE: qscan.nse Kris Katterjohn (Apr 15)
- Re: Qscan in NSE: qscan.nse David Fifield (Apr 21)
- Re: Qscan in NSE: qscan.nse doug (Apr 15)