Nmap Development: Re: Performance Tuning NMAP

[Bill Petersen <bill.petersen () alcatel com>]

Adam, and others who have replied to my email.

Thanks for the inputs.  I will be testing combinations of them over the 
next week or two to determine the best combination of options and methods.
I believe I will use a process similar to what Adam has outlined below.
My only concern is with missing hosts.  Some are close by - same 
building, but other machines are in Asia, and Europe.  Some of the links 
 are not so fast, so I am worried about timeouts giving me false data. 
It could vary not only from one class C to another, but from a subnet of 
a class C to another.
Any words of advice?


One test I did just amazed me.

I did an nmap -sS -P0 -p 21-25,80,135-139 on a set of local hosts
with the stock Linux rpm for 3.55 on a dual xeon machine,
it took 5 minutes and 45 seconds

Same options, same hosts, but
this time with 3.75, compiled with the -mcpu=Pentium4 and -O3
the same scan ran in 18 seconds!!


Bill Petersen, CISSP
Senior Information Security Analyst
Alcatel North America Information Security
Bill.Petersen () alcatel com
Voice: 972-519-4249
Fax:   972-477-5300

Pritchard, Adam (IDS EUC EMEA) wrote:
> Hi Bill,
>
> I have recently been working on a scanning service for my company. The
> objective was to create a system that can successfully identify every
> host on two class B networks (131,072 IPs). I have managed to scan all
> of these IPs and identify them in ~18 hours using a single instance of
> nmap on standard workstation hardware.
>
> I managed to improve the scan times by performing a multi-threaded ping
> sweep and entering only live hosts into a text file which is used for
> nmap's input list (-iL).
>
> The whole process looks like this in my log file:
>
> [21/12/2004 15:19:13] Commencing scan on subnet xxx.xxx.xxx.0/24 to find
> live hosts
> [21/12/2004 15:19:23] Written Nmap scan range(s) for 118 hosts from
> subnet xxx.xxx.xxx.0/24
> [21/12/2004 15:19:23] Starting Nmap run, saving results to
> nmap_results.log
> [21/12/2004 15:21:23] Nmap run completed in 00:02:00.39
> [21/12/2004 15:21:25] Imported Nmap grep results from nmap_results.log
> [21/12/2004 15:21:25] Commencing multi-threaded post checks
> [21/12/2004 15:21:48] Completed post checks on 118 hosts in 00:00:23.20
> [21/12/2004 15:21:51] Integrated scan results with master database
>
> A whole class C network is scanned in just over two and a half minutes.
>
> I have not looked into running multiple instances of nmap because I do
> not wish to place unnecessarily large loads on the network and
> particularly the subnet I am running the scan from.
>
> Regards,
> Adam
>
> -----Original Message-----
> From: Bill Petersen [mailto:bill.petersen () alcatel com] 
> Sent: 17 December 2004 16:18
> To: nmap-dev () insecure org
> Subject: Performance Tuning NMAP
>
>
> Hello,
> A project I am working on will require me to scan over 1 million IPs 
> monthly (yes, all owned by my company). I have acquired a dual Xeon 3GHz
> system with 4GB of RAM for the job.  I plan to turn on -sV and -O to get
>
> version and OS information in addition to 'is the machine up' and 
> general port information. It will be running Fedora Core 3.
> My questions are:
> 1. How would you tune this system for the task?
> 2. What options would you turn on / off at compile time?
> 3. How would you tune nmap at run time for the task?
>
> In the past, threads within nmap have not helped me much.  I have 
> actually used a perl script to help me maximize the throughput by 
> running up to 190 concurrent nmaps (on a similarly configured machine).
> I'd like to get away from that and have nmap take over the task.  Any 
> suggestions?
> Thanks for your input.
>
> Regards,
> Bill

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature