Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [PATCH] new --min-retries options

From: Jon Passki <jon.passki () hursk com>
Date: Fri, 7 Jul 2006 17:26:21 -0500

On Jul 6, 2006, at 8:35 PM, Fyodor wrote:


On Wed, Jul 05, 2006 at 10:14:10PM -0500, Jon Passki wrote:

Hello All,

Today I was scanning using an unreliable network (shared wireless)
and had some packet loss. I had root access to the host I was
scanning, which allowed me to review the firewall logs and run a
tcpdump of the traffic.  There was 2% to 20% packet loss, depending
upon --max-parallelism and --min-parallelism settings.  The host had
two ports open and four ports closed, will all the others filtered.
Even with what seemed the default two retransmissions there still was
loss.


Did you get wrong results with the default Nmap timing behavior, or
had you also specified aggressive timing options such as
--min-parallelism when this happened?


I reran the test today at the same location w/ the same dst host:

sudo nmap -sS -P0 -n -e en1 -p- <dst host>

I used this for the pcap filter:

tcpdump -nw /tmp/foo.pcap 'src host <src host> and tcp[tcpflags] &  
tcp-syn !=0'

Here's the port counter:

tcpdump -r /tmp/foo.pcap -n | awk '{ foo = $5 ; split  
( foo,bar,"." ) ; gsub ( ":","",bar[5] ) ; print bar[5]}' | sort -u |  
wc -l
reading from file /tmp/foo.pcap, link-type EN10MB (Ethernet)
    63981

# of ports seen only once:
tcpdump -r /tmp/foo.pcap -n | awk '{ foo = $5 ; split  
( foo,bar,"." ) ; gsub ( ":","",bar[5] ) ; print bar[5]}' | sort |  
uniq -c | grep '   1 ' | wc -l
reading from file /tmp/foo.pcap, link-type EN10MB (Ethernet)
      125

# of ports seen twice:
tcpdump -r /tmp/foo.pcap -n | awk '{ foo = $5 ; split  
( foo,bar,"." ) ; gsub ( ":","",bar[5] ) ; print bar[5]}' | sort |  
uniq -c | grep '   2 ' | wc -l
reading from file /tmp/foo.pcap, link-type EN10MB (Ethernet)
    63855

Note: one closed port got nailed 164 times

That is about 97.63% success rate (or 2.37% drop rate)


And w/ the --min-retries patch

/tmp/nmap-4.20ALPHA4% sudo ./nmap -sS -P0 -n -e en1 -p- --min-retries  
2 <dst host>
(about 1000 seconds longer of a scan)

65185 total ports found
44 seen once
35 seen twice
86 seen three times
65020 seen four times

So, I'm guessing if I stepped it up to --min-retries 3, I would  
probably not have any ports w/o at least one probe.  This is around  
99.5% complete, and perhaps there's a couple ports being blocked that  
I can research a bit further.

Any other rate options I can test?

Cheers,

Jon




_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Previous By Date Next
Previous By Thread Next

Current thread: