Nmap Development mailing list archives
Re[2]: SYN-scan and TCP-connect scan time difference.
From: Anton Konvalyuk <w.o.l.f.paradox () mail ru>
Date: Fri, 24 Jan 2014 14:35:31 +0400
Dan, I didn't find <taskbegin> in the XML output. But I tested the problem one more time (thank you). So: sudo nmap --open -T4 -F -n -oA report xxx.xxx.xxx.xxx/18 16384 IP addresses (5472 hosts up) scanned in 10995.48 seconds nmap --open -T4 -F -n -oA report_2 xxx.xxx.xxx.xxx/18 16384 IP addresses (163 hosts up) scanned in 158.18 seconds Ndiff showed 20 more hosts with open ports (--open option) in the first case. There two hosts with 80 open port. Don't know why, because nmap sends packets on this port even in TCP-connect case. Then I captured some packets in both cases. Nmap sends packets on 80, 443 ports to identify live hosts in TCP-connect one and packets on 80, 443 ports and ICMP Echo request in the SYN-scan case. And now I don't know why TCP-connect misses a lot of live hosts. I thought it got any requests from closed 80 and 443 ports. Четверг, 23 января 2014, 12:00 -06:00 от Daniel Miller <bonsaiviking () gmail com>:
On 01/23/2014 10:33 AM, Anton Konvalyuk wrote:Hello. I was scanning a large network (/18). I've noticed strange occasion. When I use 'sudo nmap --open -T4 -F -oX report xxx.xxx.xxx.xxx/18', scanning lasts for more than 2 hours. But if I use 'nmap --open -T4 -F -oX report xxx.xxx.xxx.xxx/18' it takes approximately 2 minutes. And no big difference when using '-n' option. Could you tell what the reason is? The only information I've found is http://seclists.org/nmap-dev/2006/q1/370 . So why is TCP-connect faster than SYN-scan? And why is the difference really big? Thanks! Nmap version: 6.00 OS: Debian 6.0 x86_64Anton, I am surprised that you are finishing a /18 scan in 2 minutes, no matter what options you choose. Have you compared the results to be sure that you are not losing data? Against a large network without many hosts, the host discovery phase would possibly be the source of delay. With root privilege, Nmap sends 4 probes to determine whether a host is alive, but only 2 probes without privileges. Have a look at the <taskbegin> and <taskend> elements in the XML output to see how long each phase of the scan took. Dan
-- С уважением, Конвалюк Антон _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- SYN-scan and TCP-connect scan time difference. Anton Konvalyuk (Jan 23)
- Re: SYN-scan and TCP-connect scan time difference. Daniel Miller (Jan 23)
- Re[2]: SYN-scan and TCP-connect scan time difference. Anton Konvalyuk (Jan 24)
- Re: SYN-scan and TCP-connect scan time difference. Daniel Miller (Jan 23)