The scan can go on for a while if you are scanning firewalled hosts.
There are nmap switches to increase ports per second, but how much?
I have added a switch that prints two lines of statistics.
The new ?c switch guesses how long time the scan will take.
Output example:
Starting nmap V. 3.10ALPHA3 ( www.insecure.org/nmap/ )
Tried: 192 (150 resends)
P/S: 12.00 ETS: 9
The ?c switch shows how many ports that has been tested, resends,
ports per second and the estimated remaining time of scan.
The patch works on nmap-3.10ALPHA3 and nmap-3.10ALPHA4. It will
probably work on other nmap-3.10 releases.
Patch with:
tar -xvzf nmap-3.X.tgz
cd nmap-3.X
patch -p1 < PATH_TO/nmap-3.10ALPHA4_statistics-1.diff
nmap-3.10ALPHA4_statistics-1.diff is a nmap hack. It is not an official
nmap patch.
Feel free to forward it if you like it.
//Ian Vitek, iXsecurity
ian.vitek_at_ixsecurity.com
nmap-3.10ALPHA4_statistics-1.diff
------------------------ cut --------------------------
diff -r -u nmap-3.10ALPHA3/NmapOps.h nmap-3.10ALPHA3IX/NmapOps.h
--- nmap-3.10ALPHA3/NmapOps.h 2002-09-16 04:54:43.000000000 +0200
+++ nmap-3.10ALPHA3IX/NmapOps.h 2002-11-10 11:24:26.000000000 +0100
@@ -80,6 +80,7 @@
// setPacketTrace(false) has been called
void setPacketTrace(bool pt) { pTrace = pt; }
int verbose;
+ int count;
int randomize_hosts;
int spoofsource; /* -S used */
char device[64];
diff -r -u nmap-3.10ALPHA3/nmap.cc nmap-3.10ALPHA3IX/nmap.cc
--- nmap-3.10ALPHA3/nmap.cc 2002-09-16 05:00:21.000000000 +0200
+++ nmap-3.10ALPHA3IX/nmap.cc 2002-11-10 10:07:53.000000000 +0100
@@ -172,6 +172,7 @@
{
{"version", no_argument, 0, 'V'},
{"verbose", no_argument, 0, 'v'},
+ {"count", no_argument, 0, 'c'},
{"debug", optional_argument, 0, 'd'},
{"help", no_argument, 0, 'h'},
{"max_parallelism", required_argument, 0, 'M'},
@@ -571,6 +572,7 @@
exit(0);
break;
case 'v': o.verbose++; break;
+ case 'c': o.count=1; break;
}
}
@@ -1208,6 +1210,7 @@
" -p <range> ports to scan. Example range:
'1-1024,1080,6666,31337'\n"
" -F Only scans ports listed in nmap-services\n"
" -v Verbose. Its use is recommended. Use twice for greater
effect.\n"
+ " -c Counting stats\n"
" -P0 Don't ping hosts (needed to scan www.microsoft.com and
others)\n"
"* -Ddecoy_host1,decoy2[,...] Hide scan using many decoys\n"
" -6 scans via IPv6 rather than IPv4\n"
diff -r -u nmap-3.10ALPHA3/scan_engine.cc nmap-3.10ALPHA3IX/scan_engine.cc
--- nmap-3.10ALPHA3/scan_engine.cc 2002-09-16 06:39:58.000000000 +0200
+++ nmap-3.10ALPHA3IX/scan_engine.cc 2002-11-10 15:31:11.000000000
+0100
@@ -536,6 +536,8 @@
struct scanstats ss;
int rawsd = -1;
int scanflags = 0;
+ int itimes = 0;
+ int iresends = 0;
int victim;
int senddelay = 0;
pcap_t *pd = NULL;
@@ -545,6 +547,7 @@
int res;
int connecterror = 0;
int starttime;
+ int lastcheckedtime;
struct sockaddr_storage sock;
struct sockaddr_in *sin = (struct sockaddr_in *) &sock;
#if HAVE_IPV6
@@ -700,6 +703,7 @@
}
starttime = time(NULL);
+ lastcheckedtime = 0;
if (scantype != SYN_SCAN)
ack_number = get_random_uint();
@@ -912,6 +916,15 @@
current->state = PORT_TESTING;
current->trynum = 0;
/* if (!testinglist) testinglist = current; */
+ if (o.count) {
+ itimes++;
+ if ( time(NULL) != lastcheckedtime ) {
+ lastcheckedtime = time(NULL);
+ log_write(LOG_STDOUT, "Tried: %5d (%d resends) \nP/S:
%8.2f ETS: %7.0f \e[28D\e[A", itimes , iresends , (double) ( itimes ) / (
1 + lastcheckedtime - starttime ) , (double) ( numports - itimes + iresends
) / ( (double) itimes / ( 1 + lastcheckedtime - starttime ) ) );
+ log_flush(LOG_STDOUT);
+ }
+ }
+
ss.numqueries_outstanding++;
gettimeofday(¤t->sent[0], NULL);
if ((scantype == SYN_SCAN) || (scantype == WINDOW_SCAN) ||
@@ -1049,6 +1062,7 @@
current->state = PORT_FRESH;
current->trynum = 0;
current->sd[0] = current->sd[1] = current->sd[2] = -1;
+ iresends++;
if (o.debugging) {
log_write(LOG_STDOUT, "Preparing for retry, nonresponsive port
%lu noted\n", current->portno);
}
@@ -1245,6 +1259,9 @@
int tries = 0;
int tmp = 0;
int starttime;
+ int lastcheckedtime;
+ int itimes = 0;
+ int iresends = 0;
u16 newport;
int newstate = 999; /* This ought to break something if used illegally
*/
struct portinfo *scan, *openlist, *current, *testinglist, *next;
@@ -1334,6 +1351,7 @@
fatal("Unknown scan type for super_scan"); }
starttime = time(NULL);
+ lastcheckedtime = 0;
if (o.debugging || o.verbose)
log_write(LOG_STDOUT, "Initiating %s against %s\n",
scantype2str(scantype), target->NameIP(hostname, sizeof(hostname)));
@@ -1416,6 +1434,14 @@
/* lets send a packet! */
current->state = PORT_TESTING;
/* if (!testinglist) testinglist = current; */
+ if (o.count) {
+ itimes++;
+ if ( time(NULL) != lastcheckedtime ) {
+ lastcheckedtime = time(NULL);
+ log_write(LOG_STDOUT, "Tried: %5d (%d resends) \nP/S:
%8.2f ETS: %7.0f \e[28D\e[A", itimes , iresends , (double) itimes / ( 1 +
lastcheckedtime - starttime ) , (double) ( numports - itimes + iresends ) /
( (double) ( itimes + iresends ) / ( 1 + lastcheckedtime - starttime ) ) );
+ log_flush(LOG_STDOUT);
+ }
+ }
numqueries_outstanding++;
gettimeofday(¤t->sent[0], NULL);
if (o.fragscan)
@@ -1637,6 +1663,7 @@
for(current = openlist; current; current = (current->next >= 0)?
&scan[current->next] : NULL) {
current->state = PORT_FRESH;
current->trynum = 0;
+ iresends++;
if (o.debugging) {
log_write(LOG_STDOUT, "Preparing for retry, open port %lu noted\n",
current->portno);
}
------------------------ cut --------------------------
--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to
nmap-hackers-help_at_insecure.org . List run by ezmlm-idx (www.ezmlm.org).
Received on Nov 26 2002
Intro
