Nmap Development mailing list archives
Desired --max-rate behavior: exceed the maximum to keep up the average?
From: David Fifield <david () bamsoftware com>
Date: Mon, 4 Aug 2008 15:19:26 -0600
Hi list, A few days ago I added a --max-rate option, complementary to --min-rate. I hadn't announced it yet because I can't decide how it should act in a certain situation, and I want your advice. Implementing --max-rate is easy. If someone asks for --max-rate 100, just ensure that no two probes are sent closer than 1/100 s apart. In other words, if it's been less than 1/100 since the last probe sent, don't allow sending another. This is basically what the current code does. It works in most situations and slower send rates. However such a technique means that if the sending rate is ever to equal the maximum rate, it must send a packet every 1/100 s, without fail. If one or more time slices are skipped because of congestion control or pcap delays, there is no way to catch up. If 10% of the slices are missed, the rate will be at 90% of maximum, even if Nmap is sending at the maximum rate all the rest of the time. Here is an example. nmap -n -PN -d3 -p- localhost Overall sending rates: 4237.11 packets / s, 186432.74 bytes / s. So the scan appears to support 4000+ packets per second. Then 2000 should be no problem. nmap -n -PN -d3 -p- --max-rate 2000 localhost Overall sending rates: 756.26 packets / s, 33275.44 bytes / s. This is easily explained by what I noted above, however, it is surprising behavior. The only solution I see is to allow the engine to go faster than the maximum during the sending times to make up for the delays. ./nmap-nonstrict -n -PN -d3 -p- --max-rate 2000 localhost Overall sending rates: 1999.92 packets / s, 87996.43 bytes / s. My problem with this solution is that it uses a very loose definition of the word "maximum." It makes good sense from the user's perspective but it hides the fact that the sending rate jumped to above 7000 packets per seconds for very brief moments. A variation on this is to allow only a certain number of "catch up" packets, or to reduce the amount of packets allowed to catch up by a certain fraction with each packet sent, keeping it in some reasonable bounds. This "damped" behavior is implemented in the /nmap-exp/david/nmap-fixed-rate branch. Here is some output: ./nmap-damped -n -PN -d3 -p- --max-rate 2000 localhost Overall sending rates: 1980.08 packets / s, 87123.43 bytes / s. That's with damping of 1% applied to the number of catch-up probes. It doesn't get to catch up completely, but it gets pretty close. However, this approach appears to burst to over 10000 probes per second, for reasons I don't understand. What do you think is the right behavior? Should --max-rate be strict or lenient? David _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Desired --max-rate behavior: exceed the maximum to keep up the average? David Fifield (Aug 04)
- Re: Desired --max-rate behavior: exceed the maximum to keep up the average? Brandon Enright (Aug 04)