Re: Fwd: SOC idea

[Jason Gerfen <jason.gerfen () gmail com>]

For those that are interested in this project my latest benchmarks are
showing a substantial increase in performance for scans using the -T4
option.

The scan test case: nmap -T4 -oG - localhost 10.0.2.0/24
192.168.2.0/25 (all virtual private nets as I do not have access to a
large class A, B or C to test against)

nmap:

real    3m34.218s
user    0m0.911s
sys     0m3.315s

node-libnmap:

real    2m32.158s
user    0m13.066s
sys     0m8.890s


A minute shaved off the scan, I would be interested to see a large
class A or B scan result if anyone can provide a safe block for me to
test against. Thanks!



On Sat, Jan 11, 2014 at 5:02 AM, Jason Gerfen <jason.gerfen () gmail com> wrote:
> On Fri, Jan 10, 2014 at 8:22 AM, Daniel Miller <bonsaiviking () gmail com> wrote:
> > On 01/10/2014 06:48 AM, Jason Gerfen wrote:
> > > > 1. Your Github readme suggests that you might be using Nmap 5.51. If this
> > > > is
> > > > > the case, do upgrade to the latest version before benchmarking your
> > > > > code,
> > > > > otherwise you might be wasting time.
> > >
> > > I am currently using and testing against 5.51, so green there.
> >
> > The current version is 6.40, just to clarify. I am not really aware of any
> > significant changes in host discovery between these versions. Here are the
> > relevant entries in the changelog:
> >
> > o Added a new --disable-arp-ping option. This option prevents Nmap
> >   from implicitly using ARP or ND host discovery for discovering
> >   directly connected Ethernet targets. This is useful in networks
> >   using proxy ARP, which make all addresses appear to be up using ARP
> >   scan. The previously recommended workaround for this situation,
> >   --send-ip, didn't work on Windows because that lame excuse for an
> >   operating system is still missing raw socket support.  [David
> >   Fifield (editorializing added by Fyodor)]
> >
> > o Made source port numbers (used to encode probe metadata) increment
> >   so as not to overlap between different scanning phases. Previously
> >   it was possible for an RST response to an ACK probe from host
> >   discovery to be misinterpreted as a reply to a SYN probe from port
> >   scanning. [Sean Rivera, David Fifield]
> >
> > o Targets requiring different source addresses now go into different
> >   hostgroups, not only for host discovery but also for port scanning.
> >   Before, only responses to one of the source addresses would be
> >   processed, and the others would be ignored. [David]
> >
> > o Nmap has long supported IPv6 for basic (connect) port scans, basic
> >   host discovery, version detection, Nmap Scripting Engine.  This
> >   release dramatically expands and improves IPv6 support:
> >   + IPv6 raw packet scans (including SYN scan, UDP scan, ACK scan,
> >     etc.) are now supported. [David, Weilin]
> >   + IPv6 raw packet host discovery (IPv6 echo requests, TCP/UDP
> >     discovery packets, etc.) is now supported. [David, Weilin]
> >   + IPv6 traceroute is now supported [David]
> >   + The --exclude and --excludefile now support IPV6 addresses with
> >     netmasks.  [Colin]
> >
> >
> >
> > > > > 2. Consider using -oX instead of -oG. This way you will get an ouput
> > > > > format
> > > > > less likely to be changed in the future. As far as I know, -oG is meant
> > > > > for
> > > > > being read by a human, not parsed by a machine.
> > >
> > > Am I wrong to assume -oG will allow the following?
> > >
> > > $ nmap -sn -oG - 10.0.2.0/24 | awk 'up { print }'
> > >
> > > Really due to the nature of the language, in this case node.js which
> > > relies heavily upon Objects, and more specifically JSON formatted
> > > objects a simple regex combined with a capture group of the results is
> > > going to be faster than traversing XML elements.
> >
> > -oG is "deprecated," which for our purposes means that the format is fixed
> > and will not change. New features (NSE scripts, traceroute, etc) will not
> > get their output added to -oG files. For host discovery, this is probably
> > sufficient for your purposes. Just realize that XML is more complete, if you
> > plan on extending your interface to support more thorough scanning.
>
> Does that mean that it will be going away anytime soon? If so I would
> move to parsing with XML or even leaving the XML response parsing to
> anyone implementing the project but ideally a smaller footprint is
> going to be ideal for this project.
>
> > Looks cool!
>
> Thanks, I am working on the detail scanning portion now in branch v0.0.3-scan.
>
> > Dan



-- 
Jas
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/