Re: Nmap host timeout inquiry

["ithilgore.ryu.L () gmail com" <ithilgore.ryu.l () gmail com>]

Tommy May wrote:
> Hello Nmap Folk:
>
> I am not an experienced developer, so please excuse my lack of knowledge on the inner 
> mechanics.
>
> I have been trying to optimize nmap scans for host discovery and find that the 
> built in T4 option works awesome (after having played with all of the 
> customizable "rtt" options)... but I also would like to add the --host-timeout 
> parameter to speed up scans a little.
>
> details:
>
> I am using an input file (-iL) with entire /24 networks 
>
>  - default "nmap -sTU -T4 -P0" on a reasonably fast /24 netblock with stateful 
> firewall ruleset takes roughly 15 hours to complete, but its the most accurate 
> results I have been able to produce (measure - all hosts that are truly up, 
> result in the output file).
>
> - I have been able to complete a scan on the same network with "nmap -sTU -T4 
> -P0 --host-timeout 120m" in roughly 6 hours... but I notice that the second half 
> of the netblock all times out... 
>
> This leads me to suspect that the "--host-timeout" parameter may apply to all of the targets that you specifiy in the 
> input list, rather than just IP by IP?  This could explain why half of the IP's 
> in the netblock timed out, when no timeout parameter catches all of the IP 
> addresses in the netblock.
>
> Are my suspicions correct or am I just shooting in the dark?  I would suppose 
> that I would have to do a separate IP by IP scan to allow the --host-timeout 
> parameter to work per IP?
>
> Any insight you may have as to how this parameter works in this way would be 
> greatly appreciated, and will better help me to discover the optimal settings.
>
> Sincerely,
> Tommy May
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://SecLists.Org
>   


I actually noticed the behaviour u described, too.
Though i think the original intent was to have a host-timeout by each ip
as i figured out from the code:

/* Start the timeout clocks of any targets that aren't already timedout */
static void startTimeOutClocks(vector<Target *> &Targets) {
struct timeval tv;
vector<Target *>::iterator hostI;

gettimeofday(&tv, NULL);
for(hostI = Targets.begin(); hostI != Targets.end(); hostI++) {
if (!(*hostI)->timedOut(NULL))
(*hostI)->startTimeOutClock(&tv);
}
}

since it uses a vector and each target has its own timeout.

But what actually happens is what u described.
I reproduced it just now.
After specifying a host-timeout and scanning more than 1 host
then if the 1st host timeouts all of the rest timeout instantly.

$nmap --host-timeout 15000 host1.com host2.com -P0
....
....
Connect Scan Timing: About 15.20% done; ETC: 14:19 (0:01:13 remaining)
xxx.xxx.xxx.xx1 timed out during Connect Scan (1 host left)
xxx.xxx.xxx.xx2 timed out during Connect Scan (0 hosts left)
Completed Connect Scan at 14:18, 15.11s elapsed (2 hosts timed out)
Host host1.com (xxx.xxx.xxx.xx1) appears to be up ... good.
Skipping host host1.com (xxx.xxx.xxx.xx1) due to host timeout

Host host2.com (xxx.xxx.xxx.xx2) appears to be up ... good.
Skipping host host2.com (xxx.xxx.xxx.xx2) due to host timeout


I think Fyodor will know better as to what exactly happens or if this is 
actually a bug.

ithilgore






_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org