Hi all,
I suspect this problem is very much OS related - if anyone
knows, please feel free to redirect me to an appropriate
forum.
We've been mucking around with nmap to optimize it's run
time when scanning firewalls - the pesky things tend
not to respond to packets. In the process, we noticed
some interesting behaviour.
Specifically, if you scan ports 1-65535, the time taken
is MUCH longer than if you were to scan the same range
of ports, but in 10,000 port chunks (say 7 consecutive
runs of 10,000 ports). This in turn takes 3 times
longer than if you were to do 65 consecutive runs
of 1000 port increments.
Anyone have any idea why breaking down a scan into
small chunks works so much faster?
Typically, if we start with a "seed" scan of
the ports 1-50, it might take 50 seconds or so.
Thereafter, if we scan 1000 ports at a time, each
1000 ports might take only 7-8 seconds!
The examples we have been working with applies
to several different scenarios we have tested:
a) Internal class A network 10.0.0.0, with a
a non-existent IP used, such as 10.1.2.3
b) Valid IP address on network used that is
5 hops away from scanning machine, but
no host answering on that network.
An easy way to replicate the behaviour is to run
nmap twice on a port range (say ports 1-100).
The first time will take much longer than the second
time.
Any idea what gives?
Thomas
Received on Jul 21 1999
Intro
