Nmap Development mailing list archives
Re: Good nmap timeout values for port scans of filtering hosts on local LAN
From: "Alek O. Komarnitsky (N-CSC)" <alek () ast lmco com>
Date: Thu, 16 Aug 2001 16:02:59 -0600 (MDT)
From: Fyodor <fyodor () insecure org> Subject: Re: Good nmap timeout values for port scans of filtering hosts on local LAN To: H D Moore <hdm () secureaustin com> Cc: Alek Komarnitsky <alek () komar org>, nmap-dev () insecure org HOWEVER, the --max_rtt_timeout 50 should have made the scan a LOT faster. You have uncovered a bug in Nmap. Good find! If --max_rtt_timeout is set to a lower value than the default initial_rtt_timeout, the latter value should be immediately reduced to the max_rtt_timeout. I have fixed this for the next version of Nmap. Until that is released, people who use --max_rtt_timeout should also set --initial_rtt_timeout to the same value. [Announcing BETA29 Release] o Fixed portscan timing bug found by H D Moore (hdm () secureaustin com). This bug can occur when you specify a --max_rtt_timeout but not --initial_rtt_timeout and then scan certain firewalled hosts.
Ummmmmm ... I still swear something is "strange" with nmap scanning of filtered hosts and max_rtt_timeout doesn't quite behave correctly (?). For instance, I have two machines on the same ClassC subnet, that has minimal traffic on it). scanner-host is running Linux6.2 and using the latest Beta29 release of nmap. scanned-host is running Linux7.1 and the only port open in the range of 50-100 is port 80 for httpd. ping/traceroute shows rtt times of about 0.5 msec. I've attached actual nmap outputs below, but if I do an nmap with a max_rtt_timeout of 40 (milliseconds), the scan of 50 ports takes 45 seconds and correctly reports only port 80 open. Ditto if max_rtt_timeout is 50, 60, or no max_rtt_timeout is specified. However, if I set it to 30, it responds in *1* second ... but returns different port information ... so why when I moved max_rtt_timeout down slightly did I see such a dramatic change? alek [alek@www docs]$ nmap --max_rtt_timeout 40 -p50-100 SCANNED-HOST Starting nmap V. 2.54BETA29 ( www.insecure.org/nmap/ ) Interesting ports on SCANNED-HOST (The 50 ports scanned but not shown below are in state: closed) Port State Service 80/tcp open http Nmap run completed -- 1 IP address (1 host up) scanned in 45 seconds [alek@www docs]$ nmap --max_rtt_timeout 30 -p50-100 SCANNED-HOST Starting nmap V. 2.54BETA29 ( www.insecure.org/nmap/ ) Interesting ports on SCANNED-HOST (The 43 ports scanned but not shown below are in state: filtered) Port State Service 71/tcp closed netrjs-1 72/tcp closed netrjs-2 80/tcp open http 85/tcp closed mit-ml-dev 88/tcp closed kerberos-sec 91/tcp closed mit-dov 92/tcp closed npp 100/tcp closed newacct Nmap run completed -- 1 IP address (1 host up) scanned in 1 second --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- Good nmap timeout values for port scans of filtering hosts on local LAN Alek Komarnitsky (Aug 06)
- Re: Good nmap timeout values for port scans of filtering hosts on local LAN H D Moore (Aug 06)
- <Possible follow-ups>
- Re: Good nmap timeout values for port scans of filtering hosts on local LAN Alek O. Komarnitsky (N-CSC) (Aug 16)