Nmap Development mailing list archives
RE: Nmap 3.70 very very slow scanning (/16 iprange)
From: "Ganga Bhavani" <GBhavani () everdreamcorp com>
Date: Thu, 30 Sep 2004 21:56:16 -0700
Hi,
From debugging, I found that this patch is essential for nmap 3.70 to work faster in windows. With this fix,
scanning is taking 40 minutes for 192.168.10.10/16 instead of two days. Please let me know if there is any problem with
this fix.
Thanks,
Ganga
--- winip.c.org Thu Sep 30 21:39:03 2004
+++ winip.c Thu Sep 30 21:47:29 2004
@@ -795,7 +795,8 @@
SOCKET s;
winip_test(0);
- if(type == SOCK_RAW && proto == IPPROTO_RAW)
+ // if rawsocket not available, initialize pcap
+ if(type == SOCK_RAW && proto == IPPROTO_RAW && !rawsock_avail)
{
winip_test(1);
pcapsend_init();
-----Original Message-----
From: Ganga Bhavani [mailto:GBhavani () everdreamcorp com]
Sent: Tue 9/28/2004 6:21 PM
To: Fyodor
Cc: nmap-dev () insecure org
Subject: Nmap 3.70 very very slow scanning (/16 iprange)
Hi,
I'm running nmap-3.70 on windows xp sp1. Scanning class B network (nmap -O 192.168.0.0/16) is taking more than 2
days... where as the previous version of nmap (nmap-3.50) used to take around 4 hrs for the same scan.
When I debug, this is what I found.
In nmap-3.70, by default scanning is done through the winpcap instead of rawsockets. winpcap is taking around 2 seconds
to send ICMP(ping) packet and tcp:80 initially to check if the host is up. Even though small number of nodes are up(say
200), large amount of time(2Secs per node) is spent in pinging non existing node. For a /16 network with spare node
population, nmap was 60% complete in 2 days, at which point I gave up.
If I modify the code to use raw socket instead with the following change in the code, the scan is taking around 40
minutes.
nmap-3.70/mswin32/winip/winip.c
--------------------------------
int win32_socket(int af, int type, int proto)
{
SOCKET s;
winip_test(0);
// if(type == SOCK_RAW && proto == IPPROTO_RAW) >>>>>>>>> 3.70
if(type == SOCK_RAW && proto == IPPROTO_RAW && !rawsock_avail) >>>>>>>>>>>>3.50
{
winip_test(1);
pcapsend_init();
return 501;
}
s = socket(af, type, proto);
Can some one please let me know the reason behind this change ? Also what are the implications if I revert it back to
the old code ? Also can some please tell me if there is a way to optimize the performance of the pcap send calls ? some
parameters that I can tune ?
Thanks,
Ganga
---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to
nmap-dev-help () insecure org . List archive: http://seclists.org
Current thread:
- RE: Nmap 3.70 very very slow scanning (/16 iprange) Ganga Bhavani (Sep 30)
- Re: Nmap 3.70 very very slow scanning (/16 iprange) Andy Smith (Oct 01)
- Re: Nmap 3.70 very very slow scanning (/16 iprange) Andy Lutomirski (Oct 03)
- Re: Nmap 3.70 very very slow scanning (/16 iprange) Andy Smith (Oct 01)