Nmap Development mailing list archives
New default ping probes: -PE -PS443 -PA80 -PP
From: David Fifield <david () bamsoftware com>
Date: Wed, 27 May 2009 16:23:37 -0600
Hi all, Fyodor and I have been running a lot of scans to find out what are the most effective ping probes. We scanned over 6,000 selected addresses 90 times, each time with a different ping probe. I wrote an analysis program that exhaustively tries every probe combination for small numbers of probes and finds the best combinations. Here they are. Percentages in this table are out of the number of hosts that responded to *any* of the 90 probes. 1 probe 62.22% -PE 2 probes 77.61% -PE -PA80 3 probes 83.83% -PE -PS443 -PA80 4 probes 88.64% -PE -PS443 -PA80 -PP 5 probes 91.15% -PE -PS443 -PA80 -PP -PU161* 6 probes 92.70% -PE -PS443 -PA80 -PP -PU161* -PU40125** ... 90 probes 100.00% * Sent with source port of 53 and SNMP payload. ** Sent with source port of 53 and payload of 24 bytes.
From this list we decided to change the default host discovery probes to
the four-probe combination. Because the previous default was -PE -PA80, this simply adds -PS443 and -PP. Results and methodology are at http://www.bamsoftware.com/wiki/Nmap/EffectivenessOfPingProbes. The final results from which the above tables comes are http://www.bamsoftware.com/wiki/Nmap/EffectivenessOfPingProbes#a-20090525-ack-sctp. Combined with this change is a performance enhancement. Probes are sent in order of effectiveness (-PE first), so less likely probes may not have to be sent at all. Here are some sample results. The two-probe ping comes first, followed by the four-probe ping. You can expect scans to be slower but more accurate in most cases. In some cases they may be faster they may be faster because of the above-mentioned performance enhancement and because there may be marginally more information available from the network. nmap -n -sL -iR 1000 | awk '/^Host/ {print $2}' > list.txt nmap -v -n -sP -iL list.txt Nmap done: 1000 IP addresses (61 hosts up) scanned in 28.78 seconds Raw packets sent: 3813 (130.236KB) | Rcvd: 165 (8861B) Nmap done: 1000 IP addresses (70 hosts up) scanned in 89.89 seconds Raw packets sent: 7465 (282.600KB) | Rcvd: 507 (32.965KB) nmap -v -n -sP scanme.nmap.org/24 Nmap done: 256 IP addresses (112 hosts up) scanned in 3.07 seconds Raw packets sent: 718 (24.976KB) | Rcvd: 215 (7539B) Nmap done: 256 IP addresses (113 hosts up) scanned in 9.06 seconds Raw packets sent: 1288 (47.908KB) | Rcvd: 231 (7264B) nmap -v -n -sP www.microsoft.com Nmap done: 1 IP address (0 hosts up) scanned in 3.05 seconds Raw packets sent: 4 (136B) | Rcvd: 0 (0B) Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds Raw packets sent: 4 (152B) | Rcvd: 1 (44B) Please report any weird anomalies. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- New default ping probes: -PE -PS443 -PA80 -PP David Fifield (May 27)