Re: Why does nmap send multiple probes to the same port?

[Andreas Ericsson <ae () op5 se>]

Casey Williams wrote:
> I've noticed the same thing with -sS and -P0 which I did't think used connect().  I've 
> actually been wondering about this recently myself because I've been writing my own 
> lightweight port scanning engine using libnet to inject SYN probes.  I've noticed that if I 
> loop over the range of IP addresses and immediately send the probe, I won't always get a 
> reply from hosts that I know should have replied.  However, if I sleep() for 1 millisecond 
> between probe sends, it *will* send  the reply.  However, this 1 ms sleep() can add up over 
> many hosts/ports, and I can't seem to sleep() for a shorter period of time, (even 
> nanosleep() doesn't seem to work for me).

On Linux the nanosleep call is based on the kernel timer, so that means 
a maximum resolution of 1HZ/s (10 ms for Linux < 2.6.9).


> ***pure conjecture ahead***
>
> So I started wondering how nmap was able to be so reliable and yet SO fast (kudos!).  Then I 
> realized that it may be sending these "retry" probes to hosts that it doesn't know the 
> status of and that it didn't get a reply from.
>
> I've been reading the nmap source and stepping through it, but I haven't verified that this 
> is correct.  Am I on the right track?  If not, would this tactic be unrecommended?

You're missing the point a bit. The error messages means that nmap 
didn't send those probes. It tried to, but the system told it there was 
already a connection attempt in progress.

-- 
Andreas Ericsson                   andreas.ericsson () op5 se
OP5 AB                             www.op5.se
Tel: +46 8-230225                  Fax: +46 8-230231


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev