Re: Nmap SoC Ideas?

[Fyodor <fyodor () insecure org>]

On Sun, Mar 14, 2010 at 11:15:03PM +1100, Chip Panarchy wrote:
> Progress status bar &/or estimated time of scan completion

I think this is an excellent idea.  Nmap used to give basically no
feedback during a scan.  Eventually we added occasional status
messages and later still we the runtime interaction feature where you
can request a status by pressing enter at any time.  Users really
loved this ability (especially when it was on demand) to get a better
idea of what Nmap was doing and when it would be done.  But the status
messages are far from perfect.  For example, I just ran this scan:

# nmap -v -T4 -A -iR 5000

When I press <enter>, I get a message like this:

Stats: 0:04:46 elapsed; 879 hosts completed (64 up), 64 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 1.74% done; ETC: 18:20 (0:24:29 remaining)

That explains a bit about what Nmap is doing now and when it will
complete the CURRENT TASK (SYN scan against a group of 64 hosts), but
it isn't very helpful for figuring out when the whole scan will
complete.  It says "879 hosts completed" (even though we're only for
minutes in) because it was able to exclude those during the ping scan
phase.  So assuming the rate of 3 host completions per second would be
a big mistake.  But even if you assumed that, you don't know from the
status message how many hosts will be scanned (admittedly this
information can be a pain for Nmap to calculate in some cases).  You
know when the SYN scan is estimated to complete against those 64
hosts, but you don't know from the status that version detection, OS
detection, and NSE will come next, or how long those will take.

I think a key value people would like to see is "when will Nmap
completely finish the whole scan I asked for" rather than just "when
will the current scan phase end for the current subset of scan
targets".  Admittedly the "whole scan time estimate" is a harder
problem for numerous reasons, but we should at least look at what we
can do to approximate that.

After better stats are incorporated into Nmap, we could look at
exposing them with Zenmap (beyond just in the scan output window).
Right now Zenmap just has a throbber which tells you that the scan is
going (and the UI is not frozen).  Nessus used to have a fake progress
bar which always went at the same speed (slowing down continually to
ensure it never actually reached the end until the task was done and
it would jump right to the end).  But we could potentially have a real
status notification explaining what Nmap is doing, when it will be
done with the whole scan, etc.

Of course providing these stats isn't enough--they have to be
accurate.  I actually think Nmap currently does pretty well (much
better than it used to) in that regard.  I believe that is due to
David's handywork.  For example, 16 minutes after the status message
above I get:

Stats: 0:20:46 elapsed; 879 hosts completed (64 up), 64 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 69.02% done; ETC: 18:19 (0:07:23 remaining)

As you can see, the estimated time of completion (ETC) has only
changed from 18:20 to 18:19 in those 16 minutes of scanning.

I adding a TODO list item to think more about how Nmap status messages
can be improved.  If anyone else has ideas, send 'em in!

Cheers,
Fyodor

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/