Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

New default ping probes: -PE -PS443 -PA80 -PP

From: David Fifield <david () bamsoftware com>
Date: Wed, 27 May 2009 16:23:37 -0600
Hi all,

Fyodor and I have been running a lot of scans to find out what are the
most effective ping probes. We scanned over 6,000 selected addresses 90
times, each time with a different ping probe. I wrote an analysis
program that exhaustively tries every probe combination for small
numbers of probes and finds the best combinations. Here they are.
Percentages in this table are out of the number of hosts that responded
to *any* of the 90 probes.

1 probe   62.22%  -PE
2 probes  77.61%  -PE -PA80
3 probes  83.83%  -PE -PS443 -PA80
4 probes  88.64%  -PE -PS443 -PA80 -PP
5 probes  91.15%  -PE -PS443 -PA80 -PP -PU161*
6 probes  92.70%  -PE -PS443 -PA80 -PP -PU161* -PU40125**
          ...
90 probes 100.00%

* Sent with source port of 53 and SNMP payload.
** Sent with source port of 53 and payload of 24 bytes.


From this list we decided to change the default host discovery probes to

the four-probe combination. Because the previous default was -PE -PA80,
this simply adds -PS443 and -PP.

Results and methodology are at
http://www.bamsoftware.com/wiki/Nmap/EffectivenessOfPingProbes. The
final results from which the above tables comes are
http://www.bamsoftware.com/wiki/Nmap/EffectivenessOfPingProbes#a-20090525-ack-sctp.

Combined with this change is a performance enhancement. Probes are sent
in order of effectiveness (-PE first), so less likely probes may not
have to be sent at all.

Here are some sample results. The two-probe ping comes first, followed
by the four-probe ping. You can expect scans to be slower but more
accurate in most cases. In some cases they may be faster they may be
faster because of the above-mentioned performance enhancement and
because there may be marginally more information available from the
network.

nmap -n -sL -iR 1000 | awk '/^Host/ {print $2}' > list.txt
nmap -v -n -sP -iL list.txt
Nmap done: 1000 IP addresses (61 hosts up) scanned in 28.78 seconds
           Raw packets sent: 3813 (130.236KB) | Rcvd: 165 (8861B)
Nmap done: 1000 IP addresses (70 hosts up) scanned in 89.89 seconds
           Raw packets sent: 7465 (282.600KB) | Rcvd: 507 (32.965KB)

nmap -v -n -sP scanme.nmap.org/24
Nmap done: 256 IP addresses (112 hosts up) scanned in 3.07 seconds
           Raw packets sent: 718 (24.976KB) | Rcvd: 215 (7539B)
Nmap done: 256 IP addresses (113 hosts up) scanned in 9.06 seconds
           Raw packets sent: 1288 (47.908KB) | Rcvd: 231 (7264B)

nmap -v -n -sP www.microsoft.com
Nmap done: 1 IP address (0 hosts up) scanned in 3.05 seconds
           Raw packets sent: 4 (136B) | Rcvd: 0 (0B)
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds
           Raw packets sent: 4 (152B) | Rcvd: 1 (44B)

Please report any weird anomalies.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: