Nmap Development mailing list archives

Good nmap timeout values for port scans of filtering hosts on local LAN

From: Alek Komarnitsky <alek () komar org>
Date: Mon, 6 Aug 2001 10:31:22 -0600

[I Emailed this out earlier, but never saw it show up on Email or archives]

Nmap'ers,

I hope this is a "dumb" question with an easy answer that
for some reason I can't figure out.

I've been using nmap to do nightly scans of the hosts on a LAN and
then generating diff outputs - kinda a poor-man's network tripwire!  ;-)

However, after installing Linux7.1, nmap goes into "spin mode" on these ... 
since they are not returning "port closed" to the port scan, but simply 
dropping the packets (filtering is a good thing!) ... so nmap has to wait 
some sort of timeout period before making sure nothing came back.

I thought this would be easy to fix ... simply crank down max_rtt_timeout;
especially since all the machines are on the local LAN. 
However, setting this to 50 (milli-seconds) rather than the default 9000
didn't show any wall-time difference on a scan of 100 ports. If I set
this to 5, nmap returned in a second or two ... but the results were
quite variable and consistantly wrong on a few random ports.


So ... is there some sort of timeout parameters that would allow me
to continue my periodic port scans of a LAN connected (same subnet even,
so no routers) Liunx7.1 in a reasonable time, yet provide correct
and consistant results for these machines doing filtering?

BTW, no need to be stealthy here ... it's my network. And I'm using a 
"fresh" download/compile of nmap2.54BETA27 on a Linux6.2 box. 

Thanx,
alek


P.S. I too had read Steve's Gibson's "raw sockets in Windoze XP
will be the end of the world" writeup ... I gotta agree with
Fyodor and others that he's a crackup.

However, it IS entertaining reading; I especially like the "nano-probes" 
(sounds sooo cool!) and quite frankly, am I the only one who thinks
he just made up the whole online chat with "Wicked" and "Boss" ...
the crackers who keeping telling Steve how smart he is?!?   ;-)

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).

Current thread:

Good nmap timeout values for port scans of filtering hosts on local LAN Alek Komarnitsky (Aug 06)
- Re: Good nmap timeout values for port scans of filtering hosts on local LAN H D Moore (Aug 06)
  - Re: Good nmap timeout values for port scans of filtering hosts on local LAN Fyodor (Aug 07)
- <Possible follow-ups>
- Re: Good nmap timeout values for port scans of filtering hosts on local LAN Alek O. Komarnitsky (N-CSC) (Aug 16)