Speeding up single ports scans over large networks

["testic" <testic () testic demon co uk>]

I have recently been wanting to scan largest networks to discover if a
single port is open. I have found that this seems to be exceedingly slow, I
expected that seeing as I was using a connect() scan I could scan, say, 256
hosts at a time with, for example, a 2 second timeout per host. This way the
rate at which the hosts would be scanned would be rather high, a minimum of
128 per second in fact. Instead what I am finding is that each host takes
several seconds to scan a single port.

I have experimented with all the flags, turned of DNS lookup, turned all the
timeout options to very low values, increased the number of sockets etc, but
still its taking a silly amount of time to scan a single host. OS detection
is off, I am using the +V patch, but not using the -sv flag in order to save
time. Is there a better of doing this? Perhaps a script of some sort to
execute 256 nmap instances? I am scanning a /16 network so speed is of the
essence :)

Perhaps if there was a way to disable common-service lookups for
open/filtered/closed ports? Or a flag to specify how many hosts to scan in
parallel? Maybe there is, but I couldnt find it.

Any input greatly appreciated :)

testic


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).