Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: RTT times different between nping and other ping implementations
From: Fyodor <fyodor () nmap org>
Date: Tue, 11 Dec 2012 11:45:29 -0800

On Tue, Dec 11, 2012 at 10:06 AM, Keith Christian <keith1christian () gmail com
wrote:


Windows ping yields 29 / 33 / 29 ms for min/max/avg, and nping yields
47 / 31 / 34.4.  I'd be wiling to toss the min/max values, but why so
much difference in the mean?


Hi Keith, that's a good observation.  And I get similar results against the
Linux ping utility.  Here's what I got with normal ping:

# ping -c50 scanme.nmap.org
PING scanme.nmap.org (74.207.244.221) 56(84) bytes of data.
[...]
50 packets transmitted, 50 received, 0% packet loss, time 49068ms
rtt min/avg/max/mdev = 20.352/24.735/48.281/5.980 ms

Then I tried the same with latest svn Nping:

# nping/nping -c50 scanme.nmap.org

Starting Nping 0.6.26SVN ( http://nmap.org/nping ) at 2012-12-11 11:07 PST
[...]
Max rtt: 134.212ms | Min rtt: 20.138ms | Avg rtt: 29.056ms
Raw packets sent: 50 (1.400KB) | Rcvd: 50 (1.400KB) | Lost: 0 (0.00%)

So Nping's max time was like triple the Linux-ping's max, and the Nping
average took 4.3ms (17%) longer.

I did some limited testing with tcpdump running during nping and it seemed
to confirm the Nping-reported times in the small number of cases I
examined. Next I tried using the Nping --send-ip option which uses "raw
sockets" to send the packets rather than building and sending lower level
ethernet frames:

# nping/nping --send-ip -c50 scanme.nmap.org

Starting Nping 0.6.26SVN ( http://nmap.org/nping ) at 2012-12-11 11:31 PST
[...]
Max rtt: 48.513ms | Min rtt: 19.738ms | Avg rtt: 24.019ms
Raw packets sent: 50 (1.400KB) | Rcvd: 50 (1.400KB) | Lost: 0 (0.00%)

Here the results are very similar to (and slightly better than) the normal
Linux ping.  Our Nping max, min, and average are all within 1 ms of the
Linux ping equivalent.

So the answer to your question seems to be that Nping is a bit slower than
OS provided ping utilities because it uses ethernet frame sending by
default rather than raw sockets.  This might due to inefficiencies in our
(Nmap/Nping) ethernet frame sending implementation, or it could be that the
OS takes longer to handle sends this way.  I kind of suspect inefficiencies
in our system, since it is apparently also slower on Windows.  It would be
great if someone could figure out why our ethernet sends are slower, since
improving that (if possible) could make Nmap faster too.

But in the meantime, a workaround is to use --send-ip on Linux/BSD/Mac
systems to get the most accurate times.  Unfortunately, this doesn't work
on Windows since MS blocked raw sockets in Windows XP SP2.  I still hope
they will revisit that mistake sometime.

Cheers,
Fyodor
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]