mailing list archives
Re: Detecting hosts in large subnets
From: doug () hcsw org
Date: Mon, 26 Dec 2005 22:46:15 -0800
1. From the sniffer output I see that nmap sends a second arp for every host
that does not respond. Is there a way to cancel this behavior?
Interesting you mention this right now. The next version of Nmap (due out soon)
should include a new command line option: --max_retries
Read about it here:
I found this:
o Added --max_retries option for capping the maximum number of
retransmissions the port scan engine will do. The value may be as low
as 0 (no retransmits). A low value can increase spead, though at the
risk of losing accuracy. The -T4 option now allows up to 6 retries,
and -T5 allows 2. Thanks to Martin Macok
(martin.macok(a)underground.cz) for writing the initial patch, which I
changed quite a bit. I also updated the docs to reflect this neat
As it says, this is an adaptation of Martin's patch which you can find here:
if you're desperate for the functionality. I believe this patch doesn't allow
a parameter of 0 (which sends no retransmissions at all) although the official
version in the next release will.
Although this is exactly the functionality you've asked about, unfortunatley
I can't recommend a --max_retries of 0 if you are at all concerned with
accuracy - Use with caution. :)
3. Is there some kind of lib-nmap? The best thing I managed so far was
running nmap directly from my app, direct the output to a file and parse it.
No, there is no separate libnmap although this has been discussed before on
the mailing lists. See this thread, for instance:
A "libnmap" was proposed in the 2003 user survey and didn't exactly get a
stunning response. (It just barely beat out auto-r00ter):
The recommended way to interact with nmap from other programs is
to use XML output (-oX). Here is the DTD:
From the newest manpage:
XML offers a stable format that is easily parsed by software. Free XML parsers are available for all major computer
languages, including C/C++, Perl, Python, and Java. People have even written bindings for most of these languages to
handle Nmap output and execution specifically. Examples are Nmap::Scanner and Nmap::Parser in Perl CPAN. In almost all
cases that a non-trivial application interfaces with Nmap, XML is the preferred format.
4. Are there any licensing issues when including nmap and libpcap (it's a
windows app) in a commercial release?
libpcap is covered under the BSD license and, as such, can be compiled into
binaries without making the source available. However, nmap (and associated
data files such as nmap-service-probes, nmap-os-fingerprints, etc) are covered
under the GNU GPL. You are required to distribute complete source code if you distribute
a binary containing code from Nmap. For specifics, see the following files in
the nmap source tree:
5. In I change max_rtt_timeout to 100 the scan time goes from 87 seconds to
150 seconds. Almost a linear increase. This is somewhat counter intuitive to
me. I assume the time deficit is because of some limitations on the number
of open sockets, that slows down the ability to send arp requests (is it
Since ARP requests operate way below the socket layer, it's probably
unlikely this behaviour is caused by userland socket limitations.
Hope this helps!
Sent through the nmap-dev mailing list