Re: nmap udp scan time

From: Anders Thulin (anders.thulin@sentor.se)
Date: Mon Oct 29 2007 - 03:04:00 EST


Kevin Mc Grath wrote:

> I have completed a udp scan on an embedded device in the lab and the
> scan duration was 18.22 hours.
>
> The scan syntax used is as follows:
>
> nmap -sU -p0-65535 <ip_addr>
>
> Should a UDP scan take such a long time? Could the scan time relate to
> some problem with the device?

  If you don't get any negative response (such as the various ICMP unreachables)
from the device, it will largely be a question of timeouts and retransmissions. Factor
in the number of UDP ports probed in parallel, and the general speed of the network
connection, and you should be able to say if 18 hours is in the ballpark
or not.

  Read and consider:

    http://insecure.org/nmap/man/man-port-scanning-techniques.html

    http://insecure.org/nmap/man/man-performance.html

  Note that nmap adjusts the number of concurrent probes based on its performance.
You may have to force its lower limit (--min_parallelism) to something larger than 1.
Note also the default value of --max_retries, which is rather conservative for
reasonably fast devices on a lightly-loaded local LAN.

  Check the http://insecure.org/nmap/docs.html for more useful documents. The Nmap book
will probably be the definitive reference on Nmap ... if and when it is published.

-- 
Anders Thulin          anders.thulin@sentor.se          070-757 36 10
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:11 EDT