Scanning speeds - unexplained behaviour

[Thomas Reinke <reinke () e-softinc com>]

Hi all,

I suspect this problem is very much OS related - if anyone
knows, please feel free to redirect me to an appropriate
forum.

We've been mucking around with nmap to optimize it's run
time when scanning firewalls - the pesky things tend
not to respond to packets. In the process, we noticed
some interesting behaviour.

Specifically, if you scan ports 1-65535, the time taken
is MUCH longer than if you were to scan the same range
of ports, but in 10,000 port chunks (say 7 consecutive
runs of 10,000 ports). This in turn takes 3 times
longer than if you were to do 65 consecutive runs
of 1000 port increments.

Anyone have any idea why breaking down a scan into
small chunks works so much faster?

Typically, if we start with a "seed" scan of
the ports 1-50, it might take 50 seconds or so.
Thereafter, if we scan 1000 ports at a time, each
1000 ports might take only 7-8 seconds!

The examples we have been working with applies
to several different scenarios we have tested:

 a) Internal class A network 10.0.0.0, with a
    a non-existent IP used, such as 10.1.2.3
 b) Valid IP address on network used that is
    5 hops away from scanning machine, but
    no host answering on that network.

An easy way to replicate the behaviour is to run
nmap twice on a port range (say ports 1-100).
The first time will take much longer than the second
time.

Any idea what gives?

Thomas