Where's the bottleneck?

[Roger Hoyle <r.hoyle () eris qinetiq com>]

Hi,

I've done a pile of testing on nmap recently, to try and develop ways of 
scanning multiple addresses more quickly.

Our initial thoughts were to put three ethernet interfaces on one 
machine and start multiple scans spread over the three interfaces.

After some initial testing, I was surprised to find that running 9 
threads per interface on three interfaces, gave an average machine scan 
time within 1% of running 27 (!) threads on one interface.

i.e. It seems that the interface really isn't the blocker.

I did some follow-up testing on various spec'ed machines, all running a 
2.4 kernel and nmap 2.54 beta22. I got the following results:

CPU   Mem     Average Time for 18 scans (seconds)

1700  256     87
850   128     146
666   256     173
200   64      526
166   80      524

I'm using the following nmap command:

nmap -sT -O -p 1-65535 -vv -P0 -r $ip -oN $ip.txt -oG $ip.mrf &

The scan time seems very closely linked to processor speed. This was 
surprising. 

Has anyone got any ideas why this might be the case? We really expected 
3 interfaces to make a difference. Is it my version of nmap? Something 
else? Or just my CPU?

Any clues to this behaviour would be greatly appreciated.

Cheers

Rog.



---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).