Nmap Development mailing list archives

Re: Good nmap timeout values for port scans of filtering hosts on local LAN

From: Fyodor <fyodor () insecure org>
Date: Tue, 7 Aug 2001 21:26:05 -0700

On Mon, Aug 06, 2001 at 02:11:26PM -0500, H D Moore wrote:

If you already know your max rtt time, try setting your
initial_rtt_timeout to something very small (like 5).


Heh, "very small" is an understatement.  Only mad scientists like HD
should use 5 -- it tells Nmap to only wait one two-hundredth of a
second before giving up on receiving a response to a probe!  Even I
wouldn't dare use anything less than 30 or 50 ms :).

The following
tests show that no max timeout took about a minute, a max timeout of
50 took over two minutes, and a very small initial timeout plus a
max timeout of 50 took _4_ seconds ;)


OK, so I admit that your daredevil tactics can produce fast times :).
However, the first two times seem odd to me.  It looks like the max
timeout is being ignored.  I think the reason it took longer is just
normal variance -- a scan like yours speeds up dramatically once it
finds the open port (22).  So in the second case, port 22 probably
came much later in the (random) port list.  You can get much more
reliable numbers for this type of test when using -r (which turns off
port randomization).

HOWEVER, the --max_rtt_timeout 50 should have made the scan a LOT
faster.  You have uncovered a bug in Nmap.  Good find!  If
--max_rtt_timeout is set to a lower value than the default
initial_rtt_timeout, the latter value should be immediately reduced to
the max_rtt_timeout.  I have fixed this for the next version of Nmap.
Until that is released, people who use --max_rtt_timeout should also
set --initial_rtt_timeout to the same value.

One more note: people should not use -P0 unless they really have to --
that can slow down scans significantly.  Especially if you use the
default timing variables rather than specify your own.  Nmap is very
conservative by default -- I'd much rather Nmap take longer until it
can get its timing bearings than to have it miss ports.

Cheers,
-F


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).

Current thread:

Good nmap timeout values for port scans of filtering hosts on local LAN Alek Komarnitsky (Aug 06)
- Re: Good nmap timeout values for port scans of filtering hosts on local LAN H D Moore (Aug 06)
  - Re: Good nmap timeout values for port scans of filtering hosts on local LAN Fyodor (Aug 07)
- <Possible follow-ups>
- Re: Good nmap timeout values for port scans of filtering hosts on local LAN Alek O. Komarnitsky (N-CSC) (Aug 16)