Nmap Development mailing list archives
max-retries not playing well
From: Jon Passki <jon.passki () hursk com>
Date: Fri, 30 Jun 2006 12:56:38 -0500
Hello All, <version cruft> nmap -V Nmap version 4.10 ( http://www.insecure.org/nmap/ ) uname -sr Darwin 8.6.1 </version cruft> <command> nmap -e en1 -iL host.list -P0 -p 3001-4500 -n --max-rtt-timeout 400 -- min-parallelism 40 --min-hostgroup 20 --max- retries 3 -sS -oX host.xml note: host.list contains over 1800 hosts and en1 is a wireless card </commands> I calculated probes/port by some really ugly shell scripting: tcpdump -tnr foo2.pcap '(tcp[tcpflags] & tcp-syn != 0) and src host 10.0.0.1' | awk ' $2 ~ /10.0.0.1/ { print $4 }' | sort | uniq -c | awk '{ foo = foo + $1; i++ } END{ print foo/i }' I was sampling the packet transmission rates w/ tcpdumps of nmap traffic. At first, I was getting 2167 probes in 8.981 seconds across 20 hosts, which is about 12 probes/sec/host, with about 2.3 probes/ port (2.3 <= --max-retries + 1). As the scan has progressed, those rates have changed, with the probes/port being unexplainable to me. At the time of the sample, 9 hosts were left in a scan group and nmap sent out 171 packets over 18.23 seconds, which is roughly 1 probe/sec/ host, with an average of 6.11 probes/port (6.11 > --max-retries + 1 !). While the 1 probe/sec/host seems off, I didn't set --max-scan- delay so that could be further tweaked. The average probes/port being greater than --max-retries + 1 is goofy, though. Of course, I could be seeing pr0n traffic in the output, but I did a manual verification of the dump and the only thing being sent out were to hosts in the host.list, to ports I usually don't care about. So, regardless of my shell scripting above, the data seems correct. Now, what gets me is looking at the above line w/o the awk statement showed the probes/port summary. Here's what it looked like: 2 1.2.3.4.3072: 11 1.2.3.4.3687: 6 1.2.3.4.3808: 11 2.3.4.5.3424: 8 2.3.4.5.4172: 2 3.4.5.6.3721: 1 3.4.5.6.3978: 10 3.4.5.6.4148: 6 3.4.5.6.4392: 4 4.5.6.7.3036: 11 4.5.6.7.3163: 1 4.5.6.7.3441: 3 4.5.6.7.4067: 1 5.6.7.8.3348: 11 5.6.7.8.3486: 7 5.6.7.8.4247: 3 6.7.8.9.3498: 5 6.7.8.9.3805: 11 6.7.8.9.3848: 5 7.8.9.10.3159: 10 7.8.9.10.3849: 3 7.8.9.10.3921: 1 7.8.9.10.4264: 5 8.9.10.11.3206: 3 8.9.10.11.3478: 11 8.9.10.11.4166: 11 9.10.11.12.3023: 8 9.10.11.12.3250: So, some hosts had 5-11 probes sent to one port, which would seem to violate the --max-retries 3 setting on the command line. I'm assuming this is a bug. Is there any further reporting I can provide? Cheers, Jon _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- max-retries not playing well Jon Passki (Jun 30)