Nmap Announce mailing list archives
Scanning speeds - unexplained behaviour
From: Thomas Reinke <reinke () e-softinc com>
Date: Wed, 21 Jul 1999 23:51:02 -0400
Hi all, I suspect this problem is very much OS related - if anyone knows, please feel free to redirect me to an appropriate forum. We've been mucking around with nmap to optimize it's run time when scanning firewalls - the pesky things tend not to respond to packets. In the process, we noticed some interesting behaviour. Specifically, if you scan ports 1-65535, the time taken is MUCH longer than if you were to scan the same range of ports, but in 10,000 port chunks (say 7 consecutive runs of 10,000 ports). This in turn takes 3 times longer than if you were to do 65 consecutive runs of 1000 port increments. Anyone have any idea why breaking down a scan into small chunks works so much faster? Typically, if we start with a "seed" scan of the ports 1-50, it might take 50 seconds or so. Thereafter, if we scan 1000 ports at a time, each 1000 ports might take only 7-8 seconds! The examples we have been working with applies to several different scenarios we have tested: a) Internal class A network 10.0.0.0, with a a non-existent IP used, such as 10.1.2.3 b) Valid IP address on network used that is 5 hops away from scanning machine, but no host answering on that network. An easy way to replicate the behaviour is to run nmap twice on a port range (say ports 1-100). The first time will take much longer than the second time. Any idea what gives? Thomas
Current thread:
- Scanning speeds - unexplained behaviour Thomas Reinke (Jul 21)
- Re: Scanning speeds - unexplained behaviour Darren Reed (Jul 21)
- <Possible follow-ups>
- Re: Scanning speeds - unexplained behaviour photon (Jul 22)