Nmap Development mailing list archives

Re: massping migration and you

From: Brandon Enright <bmenrigh () ucsd edu>
Date: Fri, 31 Aug 2007 22:31:45 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Okay, a correction, comments, and test results below.  This should be a lot
more to your liking.


On Thu, 30 Aug 2007 23:34:45 -0600
David Fifield <david () bamsoftware com> wrote:

On Fri, Aug 31, 2007 at 04:57:16AM +0000, Brandon Enright wrote:

On Thu, 30 Aug 2007 21:08:36 -0600 plus or minus some time David Fifield
<david () bamsoftware com> wrote:


Which is all the more puzzling because I thought your --min-hostgroup
option might be the source of the speed discrepancy. Just for the heck
of it, can you try a scan using --min-parallelism 2048 instead?


This made an impressive difference:

Nmap finished: 186368 IP addresses (13174 hosts up) scanned in 1901.990
seconds Raw packets sent: 1630152 (65.206MB) | Rcvd: 41809 (2.022MB)

real    31m42.005s
user    0m6.297s
sys     0m25.964s


Well, that's good, as long as hosts weren't missed. A parallelism of
2048 is awfully high, though. Does anyone else have ideas why the speeds
aren't matching up? Is anyone experiencing the same thing?


Okay well it turns out I screwed up the test above.  Instead of doing
'./nmap' I just did 'nmap' which means it was a test of the old massping()
code.  Good news though, I've repeated the test with a bunch of different
values for --min-parallelism with *excellent* results.

I will include more comprehensive results below.  For the test above with
- --min-parallelism using 2048, this was the result:

Nmap done: 186368 IP addresses (15804 hosts up) scanned in 258.023 seconds
               Raw packets sent: 1398404 (55.937MB) | Rcvd: 51659 (2.426MB)

real    4m18.043s
user    1m45.858s
sys     0m35.164s


With the default parallelism used with -T5 the new ultrascan() code is much
slower and more conservative that the massping() code was.  It can be made
to be MUCH faster though (see above!).  I wasn't able to make massping() go
any faster so ultrascan() really seems to be showing it's power and
flexibility.

I've always been under the impression that --min-parallelism was only
used on a per-host basis so I thought setting it to anything above the
number of ports being probed per host was useless.  Clearly that isn't
the case.


With ultra_scan, parallelism is the size of the congestion window, which
is the total number of active probes allowed for the current host group.
If one host has sent all its probes, probes from other hosts will be
sent until the congestion window is filled.


Makes sense.  Thanks for clarifying.

Say I normally scan a single host with --min-parallelism 128.  If I scan
two hosts at once can I safely set it to 256?  How fairly balanced
between hosts is this value?  If I'm scanning a /24 I may want this to
scale into the thousands.  At what point is Nmap/ultrascan() going to
thrash?  Is there a reasonable point of diminishing return?


Parallelism shouldn't depend on the number of hosts. If you say
--min-parallelism 128, then the congestion window will not drop lower
than 128. Those 128 (or more) probes can be directed at one host or a
thousand, it doesn't matter. I don't think you'll gain from increasing
the parallelism with the number of hosts. The only thing to watch out
for is not to make it too high with too few targets, because then each
target will be fielding a lot of probes at once.


Which is why I've always kept it to 128.  Single host scan test scans I've
done suggest that most machines can't handle much more than 128 and that
increasing it further hurts results without speeding up the scan much.

Thanks for your help.  Let me know if there is anything else you'd like
me to try.


Can you do one of your scans like

      nmap -n -d2 --packet-trace | grep -B 3 DROPPED

I want to know what the nature of the drops is. There are conditions
under which a good response can be counted as a drop. We're looking for
output like

      RCVD (4.2070s) TCP xxx.xxx.xxx.xxx:80 > yyy.yyy.yyy.yyy:38710 SA
ttl=119 id=10597 iplen=44  seq=3589141442 win=65535 ack=75965513 <mss
1460> We got a TCP ping packet back from xxx.xxx.xxx.xxx port 80 (trynum
1460> = 1) ultrascan_host_probe_update called for machine xxx.xxx.xxx.xxx
1460> state HOST_UP -> HOST_UP (trynum 1 time: 462422)
      Ultrascan DROPPED probe packet to xxx.xxx.xxx.xxx detected

Where the important part is the HOST_UP -> HOST_UP (as opposed to
UNKNOWN -> HOST_UP). Those should probably not be counted as drops, and
if they are, we need to fix the code.

David Fifield


Okay.  For all the following scans, I used -n -d2 --packet-trace (and other
options).  I did get some DROPPED where HOST_UP -> HOST_UP, and
interestingly, the only the medium parallelism scans produced a few.

Here is the template for the scans I ran:

$ time sudo ./nmap -sP -P A135,139,445,3389 -n -vv -d2 -T5 --packet-trace
- --min-parallelism X --max-parallelism Y --excludefile <a file> a.b.0.0/16
c.d.0.0/16 e.f.0.0/16


First the DROPPED HOST_UP -> HOST_UP results:

minX: 64, maxY: 64
2

minX: 128, maxY: 128
6

minX: 256, maxY: 256
8

minX: 512, maxY: 512
6

minX: 768, maxY: 768
1

No other scan produced any HOST_UP -> HOST_UP drops


Now onto the time per scan and host up results.  Don't read too much into
the number of hosts detected as up for each scan.  Not all of these scans
were done in the order presented here.

minX: 64, maxY: 64
Nmap done: 186368 IP addresses (16341 hosts up) scanned in 1946.401 seconds
            Raw packets sent: 1387364 (55.495MB) | Rcvd: 307916 (14.778MB)

minX: 96, maxY: 96
Nmap done: 186368 IP addresses (16193 hosts up) scanned in 1189.917 seconds
            Raw packets sent: 1388503 (55.541MB) | Rcvd: 157883 (7.388MB)

minX: 128, maxY: 128
Nmap done: 186368 IP addresses (16374 hosts up) scanned in 904.527 seconds
            Raw packets sent: 1388383 (55.536MB) | Rcvd: 182033 (8.432MB)

minX: 256, maxY: 256
Nmap done: 186368 IP addresses (16203 hosts up) scanned in 562.084 seconds
            Raw packets sent: 1391273 (55.651MB) | Rcvd: 99340 (4.618MB)

minX: 512, maxY: 512
Nmap done: 186368 IP addresses (15995 hosts up) scanned in 325.174 seconds
            Raw packets sent: 1397238 (55.890MB) | Rcvd: 49749 (2.340MB)

minX: 768, maxY: 768 (first scan)
Nmap done: 186368 IP addresses (15896 hosts up) scanned in 291.363 seconds
            Raw packets sent: 1398309 (55.933MB) | Rcvd: 28323 (1.391MB)

minX: 768, maxY: 768 (second scan)
Nmap done: 186368 IP addresses (15818 hosts up) scanned in 306.481 seconds
            Raw packets sent: 1397579 (55.904MB) | Rcvd: 22422 (1.081MB)

minX: 1024, maxY: 1024
Nmap done: 186368 IP addresses (15836 hosts up) scanned in 280.396 seconds
            Raw packets sent: 1399156 (55.967MB) | Rcvd: 44582 (2.103MB)

minX: 1536, maxY: 1536
Nmap done: 186368 IP addresses (15792 hosts up) scanned in 268.300 seconds
            Raw packets sent: 1397614 (55.905MB) | Rcvd: 39950 (1.891MB)

minX: 2048, maxY: 2048
Nmap done: 186368 IP addresses (15804 hosts up) scanned in 258.023 seconds
            Raw packets sent: 1398404 (55.937MB) | Rcvd: 51659 (2.426MB)

minX: 3072, maxY: 3072
Nmap done: 186368 IP addresses (15739 hosts up) scanned in 253.534 seconds
            Raw packets sent: 1398951 (55.958MB) | Rcvd: 49609 (2.390MB)


To get and idea of the trade-off between speed and accuracy, I started two
additional scans at the same time.  One with a parallelism of 256 and the
other with 2048.  Here are those results:

256:
Nmap done: 186368 IP addresses (15505 hosts up) scanned in 653.847 seconds
            Raw packets sent: 1395793 (55.832MB) | Rcvd: 245905 (11.801MB)

2048:
Nmap done: 186368 IP addresses (15279 hosts up) scanned in 311.655 seconds
            Raw packets sent: 1402726 (56.109MB) | Rcvd: 154293 (7.459MB)



I think the moral of the story is that if you want to reach (or far
surpass) the speed of the old massping() code, --min-parallelism is your
friend.  Of course this comes at an accuracy trade-off.  Also, even with
- -T5, the new ultrascan() code is dismally slow at host-discovery without a
- --min-parallelism of at least 32-64.


Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFG2JbRqaGPzAsl94IRAjt/AKCQZ30P9mA1UTKf+Nk8UiuqKp/5PQCbBek+
ax6Uhdcgg76edg2NYaFJEmw=
=7Hth
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

Re: massping migration and you, (continued)
- - Re: massping migration and you David Fifield (Aug 29)
    - Re: massping migration and you Kris Katterjohn (Aug 29)
    - Re: massping migration and you Brandon Enright (Aug 29)
    - Re: massping migration and you Brandon Enright (Aug 29)
    - Re: massping migration and you David Fifield (Aug 30)
    - Re: massping migration and you Brandon Enright (Aug 30)
    - Re: massping migration and you Brandon Enright (Aug 30)
    - Re: massping migration and you David Fifield (Aug 30)
    - Re: massping migration and you Brandon Enright (Aug 30)
    - Re: massping migration and you David Fifield (Aug 30)
    - Re: massping migration and you Brandon Enright (Aug 31)
    - Re: massping migration and you David Fifield (Sep 02)