Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: massping issue
From: David Fifield <david () bamsoftware com>
Date: Thu, 2 Apr 2009 13:39:31 -0600

On Thu, Apr 02, 2009 at 09:06:50AM -0400, Justin Azoff wrote:
Hi, since upgrading from debian etch nmap to debian lenny nmap (4.11 to
4.62) I noticed that a script that runs a ping scan across our /16
stopped finding 90% of the hosts.

The command ran is simply:
nmap --host_timeout 2000 -n -sP -PE a.b.0.0/16

The highest latency on the network is under 100ms, so 2000 should be
more than high enough to find everything.

I used git bisect against git://git.debian.org/~lamont/nmap.git to track
this down to a commit, and the result was


which corresponds to '4.22SOC6'

The changelog for that says:

+o Included David's major massping migration project.  The same
+  underlying engine is now uses for ping scanning as for port
+  scanning.  We hope this will lead to better performance and
+  accuracy, as well as helping to de-bloat Nmap.  Please test it out
+  and report your results to nmap-dev!  For more details, see
+  http://seclists.org/nmap-dev/2007/q3/0277.html

the test I ran was:

time sudo nmap --host_timeout 2000 -n -sP -PE a.b.0.0/16 -oG - | grep
'Status: Up' -c

I verified that with the previous rev
(f501df2e2a74f0bc8ce35a9ddc67d6864afddf96) the results are:
num: 3868
time: 9:36

with d37f15389455ff474c00223cbf18be4117cedd76 the results are:
num: 291
time: 1:11

so it runs in 1/10th the time, but finds 1/10th the hosts.

I also tested this with nmap-4.85BETA7:
num: 376
time: 0:39

and svn HEAD:
num: 351
time: 0:40

Thanks for your detailed report. I don't think --host-timeout is what
you want here. You want --max-rtt-timeout instead. --host-timeout is an
absolute start-to-finish limit on total time taken for each host.
Because 4096 hosts are scanned in parallel during ping scan, you are
only allowing 2 seconds to scan all 4096 of them.

The reason you got more hosts with 4.11 is that massping didn't respect
--host-timeout in that version. The option simply didn't have an effect
during ping scans. Now host are allowed to time out during ping scans,
and two seconds

So try using --max-rtt-timeout instead. Host timeouts are usually
specified in at least minutes, and RTT timeouts are usually in

David Fifield

Sent through the nmap-dev mailing list
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]