Detecting hosts in large subnets

[Hillel <hillel.t () gmail com>]

Hello all,

I am writing a software that should detect all hosts in class-B LAN's. I am
not interested in any port or OS info, my only interest is host
availability.
The software runs within the LAN, which means there is no blocking firewall.

After reading The timing and performance
doc<http://www.insecure.org/nmap/man/man-performance.html>and playing
around with the different options I came out with this command
line as reasonable:
nmap -sP -n --max_rtt_timeout 50 --max_scan_delay 0 --min_parallelism 100
<subnet>
The command takes 87 seconds to a mostly empty class B subnet.

I have a number questions:
1. From the sniffer output I see that nmap sends a second arp for every host
that does not respond. Is there a way to cancel this behavior?
2. Are there any other suggestions to improve performance?
3. Is there some kind of lib-nmap? The best thing I managed so far was
running nmap directly from my app, direct the output to a file and parse it.
4. Are there any licensing issues when including nmap and libpcap (it's a
windows app) in a commercial release?
5. In I change max_rtt_timeout to 100 the scan time goes from 87 seconds to
150 seconds. Almost a linear increase. This is somewhat counter intuitive to
me. I assume the time deficit is because of some limitations on the number
of open sockets, that slows down the ability to send arp requests (is it
so?).
Is it possible to implement a mechanism that will send all arps without
holding open descriptors, and then seat back for a second or two, and
collect all answers? I know it's possible with a kernel module that logs all
incoming traffic, I want to know if it's possible in user-land, using
sockets, and if nmap has something like this (or can be hacked to have).

Thanks
Hillel.


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev