Re: Scanning speeds - unexplained behaviour

[Darren Reed <avalon () coombs anu edu au>]

In some mail from Thomas Reinke, sie said:
[...]
> Specifically, if you scan ports 1-65535, the time taken
> is MUCH longer than if you were to scan the same range
> of ports, but in 10,000 port chunks (say 7 consecutive
> runs of 10,000 ports). This in turn takes 3 times
> longer than if you were to do 65 consecutive runs
> of 1000 port increments.
>
> Anyone have any idea why breaking down a scan into
> small chunks works so much faster?

Without looking at the code, if the inner loop has a complexity
that is non-linear, then this should be expected.

You may also be generally suffering from performance problems
involved with lengthy lists, time to search that, etc.

Most probably implementation problems, as well as OS issues.

You should also expect a greater number of bad answers as if
all 65000 responded, I doubt the OS would be able to buffer
that many packets for the time required to service them from
start to end.

> Typically, if we start with a "seed" scan of
> the ports 1-50, it might take 50 seconds or so.
> Thereafter, if we scan 1000 ports at a time, each
> 1000 ports might take only 7-8 seconds!

Have you considered that perhaps the first also has to wait for things
like ARP entries to be added, etc ?

Darren