Nmap Development mailing list archives
Re: massping issue
From: David Fifield <david () bamsoftware com>
Date: Thu, 2 Apr 2009 13:39:31 -0600
On Thu, Apr 02, 2009 at 09:06:50AM -0400, Justin Azoff wrote:
Hi, since upgrading from debian etch nmap to debian lenny nmap (4.11 to 4.62) I noticed that a script that runs a ping scan across our /16 stopped finding 90% of the hosts. The command ran is simply: nmap --host_timeout 2000 -n -sP -PE a.b.0.0/16 The highest latency on the network is under 100ms, so 2000 should be more than high enough to find everything. I used git bisect against git://git.debian.org/~lamont/nmap.git to track this down to a commit, and the result was d37f15389455ff474c00223cbf18be4117cedd76. which corresponds to '4.22SOC6' The changelog for that says: +o Included David's major massping migration project. The same + underlying engine is now uses for ping scanning as for port + scanning. We hope this will lead to better performance and + accuracy, as well as helping to de-bloat Nmap. Please test it out + and report your results to nmap-dev! For more details, see + http://seclists.org/nmap-dev/2007/q3/0277.html the test I ran was: time sudo nmap --host_timeout 2000 -n -sP -PE a.b.0.0/16 -oG - | grep 'Status: Up' -c I verified that with the previous rev (f501df2e2a74f0bc8ce35a9ddc67d6864afddf96) the results are: num: 3868 time: 9:36 with d37f15389455ff474c00223cbf18be4117cedd76 the results are: num: 291 time: 1:11 so it runs in 1/10th the time, but finds 1/10th the hosts. I also tested this with nmap-4.85BETA7: num: 376 time: 0:39 and svn HEAD: num: 351 time: 0:40
Thanks for your detailed report. I don't think --host-timeout is what you want here. You want --max-rtt-timeout instead. --host-timeout is an absolute start-to-finish limit on total time taken for each host. Because 4096 hosts are scanned in parallel during ping scan, you are only allowing 2 seconds to scan all 4096 of them. The reason you got more hosts with 4.11 is that massping didn't respect --host-timeout in that version. The option simply didn't have an effect during ping scans. Now host are allowed to time out during ping scans, and two seconds So try using --max-rtt-timeout instead. Host timeouts are usually specified in at least minutes, and RTT timeouts are usually in milliseconds. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- massping issue Justin Azoff (Apr 02)
- Re: massping issue David Fifield (Apr 02)
- Re: massping issue Justin Azoff (Apr 06)
- Re: massping issue David Fifield (Apr 02)