Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: SYN-scan and TCP-connect scan time difference.
From: Daniel Miller <bonsaiviking () gmail com>
Date: Thu, 23 Jan 2014 12:00:51 -0600

On 01/23/2014 10:33 AM, Anton Konvalyuk wrote:

I was scanning a large network (/18). I've noticed strange  occasion. When I use 'sudo nmap --open -T4 -F -oX report xxx.xxx.xxx.xxx/18', 
scanning lasts for more than 2 hours. But if I use  'nmap --open -T4 -F -oX report xxx.xxx.xxx.xxx/18' it takes approximately 2 minutes. And no 
big difference when using '-n' option.

Could you tell what the reason is? The only information I've found is http://seclists.org/nmap-dev/2006/q1/370. So why 
is TCP-connect faster than SYN-scan? And why is the difference really big?

Nmap version: 6.00
OS: Debian 6.0 x86_64


I am surprised that you are finishing a /18 scan in 2 minutes, no matter what options you choose. Have you compared the results to be sure that you are not losing data? Against a large network without many hosts, the host discovery phase would possibly be the source of delay. With root privilege, Nmap sends 4 probes to determine whether a host is alive, but only 2 probes without privileges. Have a look at the <taskbegin> and <taskend> elements in the XML output to see how long each phase of the scan took.

Sent through the dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]