Re: nmap udp scan time

[Fyodor <fyodor () insecure org>]

On Fri, Oct 26, 2007 at 09:53:36AM +0200, Kevin Mc Grath wrote:
> Hi all,
>
> I have completed a udp scan on an embedded device in the lab and the
> scan duration was 18.22 hours.
>
> The scan syntax used is as follows:
>
> nmap -sU -p0-65535 <ip_addr>

H Kevin.  Many devices and operating systems limit ICMP port
unreachable messages (the closed port response to UDP probes) to 1 per
second.  Divide 65536 scanned ports by 3600 seconds in an hour, and
the fastest scan possible is 18.204 hours.  This is why your scan took
18.22 hours.  The good news is that Nmap can scan many of these hosts
in parallel, so you could scan numerous targets in the same 18.22
hours.

If you must complete your scan faster, you can try scanning from
multiple systems (or just IP aliases on the same system).  Usually the
target devices allow 1 port unreachable response per destination IP
per second.  So if your Linux box has 5 IPs (even some home DSL
accounts give you this many), you can do:

nmap -S ip1 -sU -p0-13106 [target]
nmap -S ip2 -sU -p13107-26213 [target]
[etc]

With 5 IPs, it should only take 3.6 hours.  If you have 256 IPs (a
class C), the scan should take less than 5 minutes.

In other Nmap news, yesterday we released version 4.22SOC8 and we're
looking for more testing in preparation for the upcoming stable
release.  You can find it at http://insecure.org/nmap/download.html
(and learn about the recent changes at
http://insecure.org/nmap/changelog.html )

Cheers,
Fyodor

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------