Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

max-scan-delay not honored?

From: Filippo Solinas <allanon-ph () users sf net>
Date: Fri, 10 Mar 2006 19:38:25 +0100

Hi *,

having spent some time playing with the timing & performance
options in Nmap 4.01, I then realized that --max-scan-delay
seems not work as expected. Or maybe I'm missing something.

In the following example, max-scan-delay is set to 100 ms,
but it's never honored, as the delta between probes can put
in evidence:

-x-

# nmap -P0 -sS -vv --packet-trace -p 0-4,80,81-85 -r --max-parallelism 1 --max-scan-delay 100 --max-retries 0 X.Y.Z.100

Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-03-10 17:53 CET

[ cut DNS stuff ]

Initiating SYN Stealth Scan against X.Y.Z.100 (X.Y.Z.100) [11 ports] at 17:53

SENT (0.0660s) TCP 10.0.0.10:58763 > X.Y.Z.100:0 S ttl=58 id=13702 iplen=44 seq=2247559876 win=3072
Warning: Finishing early because retransmission cap hit.

        *** delta = 1.009 > max-scan-delay !

SENT (1.0750s) TCP 10.0.0.10:58763 > X.Y.Z.100:1 S ttl=51 id=29355 iplen=44 seq=2247559876 win=4096

        *** delta = 1.001 > max-scan-delay !

SENT (2.0760s) TCP 10.0.0.10:58763 > X.Y.Z.100:2 S ttl=57 id=41979 iplen=44 seq=2247559876 win=2048

        *** delta = 1.009 > max-scan-delay !

SENT (3.0850s) TCP 10.0.0.10:58763 > X.Y.Z.100:3 S ttl=45 id=7486 iplen=44 seq=2247559876 win=2048

        *** delta = 1.001 > max-scan-delay !

SENT (4.0860s) TCP 10.0.0.10:58763 > X.Y.Z.100:4 S ttl=56 id=55334 iplen=44 seq=2247559876 win=1024

        *** delta = 1.000 > max-scan-delay !

SENT (5.0860s) TCP 10.0.0.10:58763 > X.Y.Z.100:80 S ttl=46 id=9344 iplen=44 seq=2247559876 win=3072

        *** delta = 0.153 > max-scan-delay !

RCVD (5.2380s) TCP X.Y.Z.100:80 > 10.0.0.10:58763 SA ttl=46 id=0 iplen=44 seq=1916746295 win=5840 ack=2247559877
Discovered open port 80/tcp on X.Y.Z.100
SENT (5.2390s) TCP 10.0.0.10:58763 > X.Y.Z.100:81 S ttl=47 id=28046 iplen=44 seq=2247559876 win=4096

        *** delta = 0.757 > max-scan-delay !

SENT (5.9960s) TCP 10.0.0.10:58763 > X.Y.Z.100:82 S ttl=37 id=56448 iplen=44 seq=2247559876 win=2048

        *** delta = 0.760 > max-scan-delay !

SENT (6.7560s) TCP 10.0.0.10:58763 > X.Y.Z.100:83 S ttl=55 id=35070 iplen=44 seq=2247559876 win=4096

        *** delta = 0.760 > max-scan-delay !

SENT (7.5160s) TCP 10.0.0.10:58763 > X.Y.Z.100:84 S ttl=40 id=54959 iplen=44 seq=2247559876 win=1024

        *** delta = 0.154 > max-scan-delay !

RCVD (7.6690s) ICMP X.Y.Z.1 > 10.0.0.10 communication administratively prohibited by filtering (type=3/code=13) ttl=239 
id=14885 iplen=56
SENT (7.6700s) TCP 10.0.0.10:58763 > X.Y.Z.100:85 S ttl=46 id=7298 iplen=44 seq=2247559876 win=3072

The SYN Stealth Scan took 8.22s to scan 11 total ports.

-x-

Adding "--initial-rtt-timeout 100" has the effect to set
the scan delay to that value (100 ms), but obviously has
the side-effect to miss all probe responses, depending on
the rtt.

It seems that --max-scan-delay takes part only in limiting
the send delay when increased due to dropped probes.

But I would expect max-scan-delay was considered an absolute
limit, as per manpage "the largest delay that Nmap will allow".

Opinions?

Thanks,

        ph.



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Previous By Date Next
Previous By Thread Next

Current thread: