On Thu, Oct 23, 2003 at 12:22:18PM -0400, Renaud Deraison wrote: > On Thu, Oct 23, 2003 at 11:16:40AM -0500, Shawn Wallis wrote: > > (On the other hand, I find nmap too slow by default when scanning a > > firewalled host, however -T5 really rocks.... I think it just takes a > > little tweaking to understand how your scanner performs best..) > > Nmap is slow by default because it does not do any RTT computation and > it assumes that the worst may happen - like an avian carrier having > replaced your Gbps backbone. As a result, it's accurate.
Actually Nmap does do RTT computation, as well as tracking the variance in packet response times. If the last 100 probes have been responded to in 100-120ms, waiting 200 ms is probably sufficient. But if you get a 20ms response and then a 110ms, Nmap might wait 500ms to be on the safe side. The RTT and RTT variance are computed continually so that Nmap will slow down if the network becomes congested. Nmap also retransmits probes when no responses are returned. If a packet is dropped, Nmap slows down substantially just like TCP does. Network conditions affect the number of probes sent in parallel as well as the amount of time Nmap waits for responses. Nmap has a ton of options that can affect the timing. But "timing templates" (-T0 through -T5) are a simple knob for making timing more (or less) aggressive. -T3 is the Nmap default. -T4 is substantially faster against certain firewalled hosts, and that is what I use for most of my scanning. The poster above recommended -T5, which may be appropriate if you are on a low-latency reliable network. It is true that I take a rather conservative timing approach by default. I would rather have 100 scans each take 10 seconds longer than have one scan miss a security-critical port because it didn't wait long enough for the response or retransmit enough times to compensate for lost packets. Of course users have the flexibility to easily change that default with -T4 (recommended) or -T5. Or you can customize Nmap timing at a lower level with --max_parallelism, --min_parallelism, --min_rtt_timeout, --max_rtt_timeout, --initial_rtt_timeout, --host_timeout, and --scan_delay . Cheers, Fyodor http://www.insecure.org/nmap/
