Re: RTT Timeouts [SO_DONTROUTE again]

[Kris Katterjohn <katterjohn () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/15/2010 02:20 PM, Jon Kibler wrote:
> Hi,
>
> I have been playing with speeding up the scanning of a system that is
> one hop away from my probe box. When I ping the system, the RTT for the
> first ping is about 1.5ms (mostly ARP), and thereafter it is more like
> 0.25ms to 0.33ms.

The fact that you're doing a big version scan most likely makes everything I'm
about to say irrelevant; however, this is something you may find somewhat
interesting under other circumstances:

The thing that came to my mind when reading your email was a patch[1] I made
right about a year ago (it still applies just fine against SVN).  It uses the
SO_DONTROUTE socket option on Nmap's raw sending socket to bypass the kernel's
routing table for outgoing packets destined for directly-connected hosts.  An
improvement was noticed by both Fyodor and I, but not enough for warrant
committing to trunk[2].  However you may find the change worth applying the
patch when just port scanning (I'm actually quite curious about this on a
really fast network).

Since the srtt measures from when the packet is "sent" (started before kernel
routing) until a response is received, and the rttvar and timeout variables
are affected by the srtt, Nmap's timing takes advantage of any slight
improvement here.

I don't know if you'll notice any difference at all, but with scanning all TCP
and UDP ports, I would hope that something noticable would come of it.

> THANKS!
>
> Jon K

Cheers,
Kris Katterjohn

[1] http://seclists.org/nmap-dev/2008/q4/808
[2] http://seclists.org/nmap-dev/2009/q1/24

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIcBAEBAgAGBQJLUVbBAAoJEEQxgFs5kUfurIMQAJXfg0HAVK4ItJq3KLv1bOaV
y48gU9/GbZsFSsTAmVuziPvlqYJo7BmiFeLfjv2gQa5BjsnOuYUw1Q4igqF9FbZo
yfWM17eNtxaNI3LnTeVKzEcUmmY+2IvEQyTR/Sgc15thVQVDv7HELqqUj49mEbbJ
2fAshGup6mvh2BsFVQA2HQwbWpcZYNJ8Pf9qqIxXBPhlVbdxKzc2y54NCaTldgiV
UfBkB7QtNGJHQjSOW07KcqZ5r4v9Q+odEgDfaUX0EcztPxeuV97il2PtZTBCZYpR
8mdGw8ZpIRv7FrTa0iyIFT/Y8SM4XUmsQZADstLGHKLRh3/MoV6pX/tsLz65kTU5
CbvrGTD4LWAgHGM6EfG620InKyOXaONbl6vQujljMWewA6Fm7ID2AYjQZNIMbEW4
dhmta/BlpZN/Pi3WgM85Z0wZNKapgJpRHBn8NbThZnG1WZO2M29GRiXOAz+ERwr1
F5SyHMbC7wGVlf9SUDicWE80dxJvC+R6P/MtrcL3aWtbyi5bxmE0KmmTQqCRggXb
x8N4qdRQJBFIUHArhzF5Q1xAISOkNJP8bWbxbsGJ9Jxz8wLhmJja49g9EYoAZFeD
JlR4W9Q+PmA+JyPUGPKl2IEf/12Ay83+3RIuGvcCrH/6CoNcga914Wq2uTyU07Pi
gHair/8IRDfzrkCXcjv+
=D/HR
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/