Effect of scan rate on scan time

[David Fifield <david () bamsoftware com>]

Hi,

With any luck I'll be able to merge the nmap-perf improvements to scan
delay soon. This new system measures the rate at which responses are
received and uses that to set a maximum rate when necessary. I have been
running many tests against two rate-limited test hosts, one with a
configured rate limit of 1 response per second, and one with a limit of
250 per second.

I had been assuming that these configured rate limits were accurate, but
I seemed to be able to scan a little faster than 1 send per second
against the first host, and the rate limit seemed to settle in at about
150 rather than 250 for the second host. So I ran some tests at fixed
rates (using --min-rate X --max-rate X) near the configured limits.
Results from those tests are at

http://www.bamsoftware.com/wiki/Nmap/PerformanceNotes#rate-scatter

It turns out we can go a little faster than 1 send per second against
the first host, though keeping it at 1 is not too bad. Sending faster
than 150 per second against the second host leads to excessive drops and
wrong port states.

These graphs provide some evidence for this claim in the Reference
Guide:

        In some cases, using a faster rate can make a scan take longer
        than it would with a slower rate. This is because Nmap's
        adaptive retransmission algorithms will detect the network
        congestion caused by an excessive scanning rate and increase the
        number of retransmissions in order to improve accuracy.

Faster isn't always faster.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org