Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

max-retries not playing well

From: Jon Passki <jon.passki () hursk com>
Date: Fri, 30 Jun 2006 12:56:38 -0500
Hello All,

<version cruft>
nmap -V

Nmap version 4.10 ( http://www.insecure.org/nmap/ )

uname -sr
Darwin 8.6.1
</version cruft>

<command>
nmap -e en1 -iL host.list -P0 -p 3001-4500 -n --max-rtt-timeout 400 -- 
min-parallelism 40 --min-hostgroup 20 --max-
retries 3 -sS -oX host.xml

note: host.list contains over 1800 hosts and en1 is a wireless card
</commands>

I calculated probes/port by some really ugly shell scripting:

tcpdump -tnr foo2.pcap '(tcp[tcpflags] & tcp-syn != 0) and src host  
10.0.0.1' | awk ' $2 ~ /10.0.0.1/ {  print $4 }' | sort | uniq -c |  
awk '{ foo = foo + $1; i++ } END{ print foo/i }'

I was sampling the packet transmission rates w/ tcpdumps of nmap  
traffic.  At first, I was getting 2167 probes in 8.981 seconds across  
20 hosts, which is about 12 probes/sec/host, with about 2.3 probes/ 
port (2.3 <= --max-retries + 1).  As the scan has progressed, those  
rates have changed, with the probes/port being unexplainable to me.   
At the time of the sample, 9 hosts were left in a scan group and nmap  
sent out 171 packets over 18.23 seconds, which is roughly 1 probe/sec/ 
host, with an average of 6.11 probes/port (6.11 > --max-retries +  
1 !).  While the 1 probe/sec/host seems off, I didn't set --max-scan- 
delay so that could be further tweaked.  The average probes/port  
being greater than --max-retries + 1 is goofy, though.

Of course, I could be seeing pr0n traffic in the output, but I did a  
manual verification of the dump and the only thing being sent out  
were to hosts in the host.list, to ports I usually don't care about.   
So, regardless of my shell scripting above, the data seems correct.   
Now, what gets me is looking at the above line w/o the awk statement  
showed the probes/port summary.  Here's what it looked like:

    2 1.2.3.4.3072:
   11 1.2.3.4.3687:
    6 1.2.3.4.3808:
   11 2.3.4.5.3424:
    8 2.3.4.5.4172:
    2 3.4.5.6.3721:
    1 3.4.5.6.3978:
   10 3.4.5.6.4148:
    6 3.4.5.6.4392:
    4 4.5.6.7.3036:
   11 4.5.6.7.3163:
    1 4.5.6.7.3441:
    3 4.5.6.7.4067:
    1 5.6.7.8.3348:
   11 5.6.7.8.3486:
    7 5.6.7.8.4247:
    3 6.7.8.9.3498:
    5 6.7.8.9.3805:
   11 6.7.8.9.3848:
    5 7.8.9.10.3159:
   10 7.8.9.10.3849:
    3 7.8.9.10.3921:
    1 7.8.9.10.4264:
    5 8.9.10.11.3206:
    3 8.9.10.11.3478:
   11 8.9.10.11.4166:
   11 9.10.11.12.3023:
    8 9.10.11.12.3250:

So, some hosts had 5-11 probes sent to one port, which would seem to  
violate the --max-retries 3 setting on the command line.  I'm  
assuming this is a bug.  Is there any further reporting I can provide?

Cheers,

Jon






_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Previous By Date Next
Previous By Thread Next

Current thread: