Nmap Development mailing list archives
Re: [PATCH] new --min-retries options
From: Jon Passki <jon.passki () hursk com>
Date: Fri, 7 Jul 2006 17:26:21 -0500
On Jul 6, 2006, at 8:35 PM, Fyodor wrote:
On Wed, Jul 05, 2006 at 10:14:10PM -0500, Jon Passki wrote:Hello All, Today I was scanning using an unreliable network (shared wireless) and had some packet loss. I had root access to the host I was scanning, which allowed me to review the firewall logs and run a tcpdump of the traffic. There was 2% to 20% packet loss, depending upon --max-parallelism and --min-parallelism settings. The host had two ports open and four ports closed, will all the others filtered. Even with what seemed the default two retransmissions there still was loss.Did you get wrong results with the default Nmap timing behavior, or had you also specified aggressive timing options such as --min-parallelism when this happened?
I reran the test today at the same location w/ the same dst host: sudo nmap -sS -P0 -n -e en1 -p- <dst host> I used this for the pcap filter: tcpdump -nw /tmp/foo.pcap 'src host <src host> and tcp[tcpflags] & tcp-syn !=0' Here's the port counter: tcpdump -r /tmp/foo.pcap -n | awk '{ foo = $5 ; split ( foo,bar,"." ) ; gsub ( ":","",bar[5] ) ; print bar[5]}' | sort -u | wc -l reading from file /tmp/foo.pcap, link-type EN10MB (Ethernet) 63981 # of ports seen only once: tcpdump -r /tmp/foo.pcap -n | awk '{ foo = $5 ; split ( foo,bar,"." ) ; gsub ( ":","",bar[5] ) ; print bar[5]}' | sort | uniq -c | grep ' 1 ' | wc -l reading from file /tmp/foo.pcap, link-type EN10MB (Ethernet) 125 # of ports seen twice: tcpdump -r /tmp/foo.pcap -n | awk '{ foo = $5 ; split ( foo,bar,"." ) ; gsub ( ":","",bar[5] ) ; print bar[5]}' | sort | uniq -c | grep ' 2 ' | wc -l reading from file /tmp/foo.pcap, link-type EN10MB (Ethernet) 63855 Note: one closed port got nailed 164 times That is about 97.63% success rate (or 2.37% drop rate) And w/ the --min-retries patch /tmp/nmap-4.20ALPHA4% sudo ./nmap -sS -P0 -n -e en1 -p- --min-retries 2 <dst host> (about 1000 seconds longer of a scan) 65185 total ports found 44 seen once 35 seen twice 86 seen three times 65020 seen four times So, I'm guessing if I stepped it up to --min-retries 3, I would probably not have any ports w/o at least one probe. This is around 99.5% complete, and perhaps there's a couple ports being blocked that I can research a bit further. Any other rate options I can test? Cheers, Jon _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- [PATCH] new --min-retries options Jon Passki (Jul 05)
- Re: [PATCH] new --min-retries options Fyodor (Jul 06)
- Re: [PATCH] new --min-retries options Jon Passki (Jul 06)
- Re: [PATCH] new --min-retries options Jon Passki (Jul 07)
- Re: [PATCH] new --min-retries options Fyodor (Jul 06)