Home page logo

nmap-dev logo Nmap Development mailing list archives

bandwidth consumption during scanning
From: "testic" <testic () testic demon co uk>
Date: Sun, 7 Dec 2003 18:42:53 -0000

Additional to my previous post regarding the amount of
bandwidth/network-strain used/caused during a typical scan I ran Nmap
against a machine on a local network in conjunction with tcpdump to see just
how much data was generated.

Nmap was run as follows and gave the following results:

$ nmap -sT -O -sVVV -P0 -F -T5
Starting nmap 3.48 ...
Interesting ports on
(The 1210 ports scanned but not shown below are in state: closed)
139/tcp open  netbios-ssn
No exact OS matches for host ...
TCP/IP fingerprint:
(I will post this 'new' fingerprint later, it was win98 :) )
Nmap run completed -- 1 IP address (1 host up) scanned in 30.116 seconds

I had a look in the Nmap man page to see exactly what 'closed' means, but I
couldnt see a definition for it, defined were 'filtered' 'un-filtered' and
'open', perhaps my man page is an old one... I understand 'closed' to mean
that no response at all was recieved from that particular port, which is
strange because the target host in question is an un-firewalled Windows98
machine which I believe would send an RST for ports which arent fully open.
Not that it really matters in this instance, its just that ports that arent
fully open and do send a response to indicate that a connection wont be
accepted would generate more data.

tcpdump (with -w) said:
2480 packets received by filter
0 packets dropped by kernel

The total size of the dumped file was 206,212 bytes and was a total of data
both sent and recieved. Presumably more packet data would have been captured
if more than one port was open. If this scan had been run on 80,000 hosts
all giving the same results the size of data would have been 15,733MB, thats
198.4 million packets.

Just out of interest I ran a few Nmap scans against the same machine with
different options and measured the size of data, tcpdump was run with the
same arguments each time:

# A basic connect() scan.
  nmap -sT -P0 -F -T5
# A basic connect() scan with OS detection.
  nmap -sT -P0 -F -T5 -O
# A basic connect() scan with lots of service probing (1 service found).
  nmap -sT -P0 -F -T5 -sVVV
# A basic connect() scan with lots of service probing (7 services found, 3
known, 4 unknown).
# The same machine and everything, I just opened a few services.
  nmap -sT -P0 -F -T5 -sVVV
# A basic connect() scan with lots of service probing (3 services found, 0
# I closed the unknown services.
  nmap -sT -P0 -F -T5 -sVVV

At this point it became apparent that programs on the targest host had
started crashing inexplicably so I thought it best to stop ;)


For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org

  By Date           By Thread  

Current thread:
  • bandwidth consumption during scanning testic (Dec 07)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]