On Tue, Oct 26, 2004 at 09:58:50AM -0500, Mogren, Jack L. wrote:
Here's what I've come up with so far.
nmap -O -T4 -PE -F --osscan_limit -oX /home/security/test.xml -iL
/home/security/ip_addresses.txt
Any comments or suggestions?
First off, make sure that you are using Nmap 3.75. Nmap 3.70 included
a complete port scan engine rewrite for better performance (among
other advantages) and then 3.75 tweaked it to be even better. You can
obtain Nmap 3.75 from http://www.insecure.org/nmap .
Since you know your network, you may be able to help Nmap by setting a
maximum retransmission timeout. Are you scanning over multiple
continents, or just a local network? If you can assume that responses
won't take more than 100ms, add --max_rtt_timeout 100 for a big speed
boost. Also, use a large host group such as --min_hostgroup 128 so
that many hosts are scanned in parallel. Play with the numbers a bit
to figure out what works best on your particular network. You could
also consider a custom nmap-services file with just a couple hundred
of the most common TCP ports. Even the -F option still scans more
than 1200 ports by default.
I would be interested to hear how it goes. If you find that it is too
slow for your needs, let me know. I am working on a performance
chapter of my upcoming O'Reilly Nmap book, so I have studied several
such large network situations. A class B and several class C's
shouldn't be any problem at all for regular scanning. Your "entire
private address space" make take a while, depending on your setup.
Scanning 10.0.0.0/8 is 16 million IPs, so don't expect it to complete
during lunch. Some of the tools that claim incredibly speeds don't
even handle retransmissions or other reliability requirements.
I hope this helps,
Fyodor
