a few usability problems and how to scan very fast a large network

[Farkas Levente <lfarkas () lfarkas org>]

hi,
i've got a few question.
in short:
1. what's the fastest way to discover all available ip address in a 
large (eg. class B network) if we're on a fast (at least 100Mb) LAN?
2. is there any way to filter output based on the scan specification?
3. is there any usable output format?

in a longer version (start from the end):
3. the current formats are not really useful for automatic processing, 
since:
- normal output is not very easy to parse.
- grepable output has less info then xml and even less then normal 
output, so in most case it's not enough.
- xml output contains a lots of good for nothing tags. eg. if i scan a B 
subnet then the the resulted xml which contains ALL host tag ie. 65536 
tag. why? even if we have a few dozens of used ip address we've to load 
and parse a rather large tree which is time and memory consuming 
proccess and totally redundant. this file is about 7MB !!! while read it 
while process and and why use memory for this.

2. to continue 3. suppose i like to see only those host which contains 
only those host which has open http port. if i add -pT:80 then i will 
get the answer (open or closed) but probably don't really like to know 
those host which has closed http port. so suppose i only like to get an 
xml ouput for hosts which has an open http port i like to get a very 
short xml file and not a 7MB file.

1. i need to discover in a large network (B class or larger) all ip 
cameras and find it's type. suppose if i've all ip address which have 
open http port (all ip camera have open http port) then i can find it's 
type. so i 'only need' to find all ip address with open http port. how 
can i do that in the fastest way? currently i find/use:
----------------------------------
nmap -n -PR -T5 -pT:80 --min-parallelism 1024 --max-parallelism 4096 
192.168.0.0/16
----------------------------------
which require to rise ulimint -n and running time is 14 seconds.
----------------------------------
nmap -n -PR -T5 -pT:80 --min-parallelism 512 --max-parallelism 1024 
192.168.0.0/16
----------------------------------
23 seconds and without parallelism parameter:
----------------------------------
nmap -n -PR -T5 -pT:80 192.168.0.0/16
----------------------------------
969 seconds (!), from nmap's manual:
"By default, Nmap calculates an ever-changing ideal parallelism based on 
network performance."
but the last example show that it's not working very well.
and i still not run my ip camera type recognition routine:-(

now the problem is that exacqVision's ip server can scan the same (b 
class) network in about 7 seconds and always find all ip cameras (both 
the windows and linux version of the server) with the correct camera 
type. so it seems they can know something much better the nmap:-( or is 
there any way to (command line) which i should have to use? so
- what's the fastest way to discover all available ip address in a large 
lan?
or even better:
- what's the fastest way to discover all available ip address which has 
open http port in a large lan?
thanks in advance.
regards.

--
  Levente                               "Si vis pacem para bellum!"
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/