On Sat, Jul 19, 2003 at 12:03:59AM +0200, Michel Arboi wrote: > > First of all, I am not sure where you get the 25M number. I just > > tried on OS scan on my Linux box and it showed under 10M in top > > 10 MB is quite big for a port scanner, no?
If all you want is port scanning, don't use OS detection (-O) and Nmap will use far less memory. And if you are this concerned with memory usage, then why are you calling dozens of copies of Nmap simultaneously when just one would do? If you reduce the number of Nmap instances called in parallel to a more reasonable number and still have memory issues, let me know and I will try to help. But I am not included to go through the Nmap codeebase trying to skimp on every last byte of RAM so that you can then waste an order of magnitued more by starting 30 copies at once. Plenty of people run single instances of Nmap on highly limited PDAs and meager x86 machines with only 8-16MB of RAM. >> Is Nmap the only plugin that would benefit from being able to handle >> more than one host at a time? > > Yes, probably. > Because nmap was designed as a standalone tool, while Nessus plugins > were designed to run inside the Nessus architecture. Right. But the Nessus team decided to leverage some of the Nmap functionality (ping scanning, port scanning, OS detection, etc) so that you can focus on adding value by your excellent application-level vulnerability checks. I am just suggesting ways that might improve this collaboration. I think our goals are the same: improved internet security (and promotion of Open Source security tools). Of course my other goal is to help people understand why Nmap is so much slower and less accurate (and uses so much memory) when run under Nessus or using the internal copy. I don't want them to give up on Nmap because of this. While it is true that plugins built specifically for Nessus tend to be built to mesh will with the Nessus "one process per target host" architecture, Nmap is not the only external program to be subsumed by Nessus. Nikto, Hydra, and Whisker come to mind as others. These or future plugins might benefit from scanning more than one host at once. > Is it useful? Currently, we can run nmap alone > nmap -p 1-65535 -I many_hosts -oN result_file ... > and then launch Nessus and "import" the result file. Sure. But users don't know that because you have deleted all references to Nmap from the download page. Also note that your command above conserves RAM by not loading the OS file. > Well, there are 3 options: > A) Maintain a private copy of Nmap > B) Implement "parallel" plugins in Nessus > C) Modify Nmap to use less memory, or at least use shared memory. If I felt that C) was a tenable (oops) solution, I would make the change to using shared memory myself. But there are many other problems with these parallel instances than memory use. Time use is the obvious one. I recently did an Nmap scan across the internet of 4,397 IPs for port 80/tcp. It took just under a minute, and would have been faster without DNS resolution (-n). I suspect that starting 4,397 copies of Nmap (as nessus would have done) would have taken hours, as Nmap would have to handle the hosts one at a time. Even with the brute-force parallelization Nessus uses the scan would take a long time. Results won't be as accurate in the latter case either, as one instance of Nmap won't know about dropped packets discovered by another. Cheers, Fyodor http://www.insecure.org/
