nmap scanning techniques and execution privileges

[Guillaume Rousse <guillomovitch () gmail com>]

Hello list.

I'm using nmap to scan large IP ranges (B classes) this way:
nmap -sV -T5 -F -oX -

When advised that some of the servers were missing in the report, I read 
the manual, and found than default scanning technique when run without 
raw socket priveleges was to use TCP connect scan, instead of TCP SYN 
scan, which is considered a better option. So I switched to root 
privileges instead:
sudo nmap -sV -T5 -F -oX -

But now I discovered then some other servers were missing in the new 
report. After investigating the issue, I found than raw socket 
privileges allow to use ICMP to speed up the scan by skipping 
non-responsing hosts, and the missing host were those not responding to 
ICMP echo probes. So I attempted to disable this optimisation:
sudo nmap -sV -Pn -T5 -F -oX -

But now scanning a class B range needs more than 12 hours to complete :(

So, how does the first nmap command, run as standard user without ICMP 
optimisation, complete in just one hour, while the same command run as 
root is more than 10 times slower ?

Also, if I can't have a magic set of options to discover all the running 
servers in a single run, is there any way to merge results from two 
different scans ?

--
BOFH excuse #353:

Second-system effect.
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/