Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

bandwidth consumption during scanning

From: "testic" <testic () testic demon co uk>
Date: Sun, 7 Dec 2003 18:42:53 -0000
Additional to my previous post regarding the amount of
bandwidth/network-strain used/caused during a typical scan I ran Nmap
against a machine on a local network in conjunction with tcpdump to see just
how much data was generated.

Nmap was run as follows and gave the following results:

$ nmap -sT -O -sVVV -P0 -F -T5 10.10.1.10
Starting nmap 3.48 ...
Interesting ports on 10.10.1.10:
(The 1210 ports scanned but not shown below are in state: closed)
PORT    STATE SERVICE     VERSION
139/tcp open  netbios-ssn
No exact OS matches for host ...
TCP/IP fingerprint:
(I will post this 'new' fingerprint later, it was win98 :) )
Nmap run completed -- 1 IP address (1 host up) scanned in 30.116 seconds

I had a look in the Nmap man page to see exactly what 'closed' means, but I
couldnt see a definition for it, defined were 'filtered' 'un-filtered' and
'open', perhaps my man page is an old one... I understand 'closed' to mean
that no response at all was recieved from that particular port, which is
strange because the target host in question is an un-firewalled Windows98
machine which I believe would send an RST for ports which arent fully open.
Not that it really matters in this instance, its just that ports that arent
fully open and do send a response to indicate that a connection wont be
accepted would generate more data.

tcpdump (with -w) said:
2480 packets received by filter
0 packets dropped by kernel

The total size of the dumped file was 206,212 bytes and was a total of data
both sent and recieved. Presumably more packet data would have been captured
if more than one port was open. If this scan had been run on 80,000 hosts
all giving the same results the size of data would have been 15,733MB, thats
198.4 million packets.

Just out of interest I ran a few Nmap scans against the same machine with
different options and measured the size of data, tcpdump was run with the
same arguments each time:

# A basic connect() scan.
  nmap -sT -P0 -F -T5 10.10.1.10
  198k
# A basic connect() scan with OS detection.
  nmap -sT -P0 -F -T5 -O 10.10.1.10
  201k
# A basic connect() scan with lots of service probing (1 service found).
  nmap -sT -P0 -F -T5 -sVVV 10.10.1.10
  198k
# A basic connect() scan with lots of service probing (7 services found, 3
known, 4 unknown).
# The same machine and everything, I just opened a few services.
  nmap -sT -P0 -F -T5 -sVVV 10.10.1.10
  258k
# A basic connect() scan with lots of service probing (3 services found, 0
unknown).
# I closed the unknown services.
  nmap -sT -P0 -F -T5 -sVVV 10.10.1.10
  209k

At this point it became apparent that programs on the targest host had
started crashing inexplicably so I thought it best to stop ;)

testic


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org
Previous By Date Next
Previous By Thread Next

Current thread: