slow nmap

[mipam007]

Hi All,

do anybody know, why is that?

THE BSD BOX

root@bx ~ ->nmap google.com
Starting Nmap 5.50 ( http://nmap.org ) at 2011-11-14 19:36 CET
Nmap scan report for google.com (74.125.39.105)
Host is up (0.0078s latency).
Other addresses for google.com (not scanned): 74.125.39.106 74.125.39.147 74.125.39.103 74.125.39.104 74.125.39.99
rDNS record for 74.125.39.105: fx-in-f105.1e100.net
Not shown: 997 filtered ports
PORT    STATE  SERVICE
80/tcp  open   http
113/tcp closed auth
443/tcp open   https
Nmap done: 1 IP address (1 host up) scanned in 18.56 seconds

root@bx ~ ->nmap seznam.cz
Starting Nmap 5.50 ( http://nmap.org ) at 2011-11-14 19:38 CET
Nmap scan report for seznam.cz (77.75.76.3)
Host is up (0.0043s latency).
rDNS record for 77.75.76.3: www.seznam.cz
Not shown: 998 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https
Nmap done: 1 IP address (1 host up) scanned in 17.70 seconds

THE LINUX BOX

root@ax $ nmap google.com
Starting Nmap 5.21 ( http://nmap.org ) at 2011-11-14 19:22 CET
Nmap scan report for google.com (74.125.39.104)
Host is up (0.021s latency).
Hostname google.com resolves to 6 IPs. Only scanned 74.125.39.104
rDNS record for 74.125.39.104: fx-in-f104.1e100.net
Not shown: 994 filtered ports
PORT    STATE  SERVICE
80/tcp  open   http
113/tcp closed auth
135/tcp closed msrpc
139/tcp closed netbios-ssn
443/tcp open   https
445/tcp closed microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 4.76 seconds

root@ax $ nmap seznam.cz
Starting Nmap 5.21 ( http://nmap.org ) at 2011-11-14 19:24 CET
Nmap scan report for seznam.cz (77.75.76.3)
Host is up (0.013s latency).
rDNS record for 77.75.76.3: www.seznam.cz
Not shown: 995 filtered ports
PORT    STATE  SERVICE
80/tcp  open   http
135/tcp closed msrpc
139/tcp closed netbios-ssn
443/tcp open   https
445/tcp closed microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 4.69 seconds

And the version of OS is:
8.2-RELEASE/FreeBSD/amd64
2.6.38-12-generic/Ubuntu/x86_64

I found this behavior of nmap in the past already, but I have never seen the "open ports" differencies.

Thanks for any hint.

 

[anomie]

Oi, so many differences there - not sure we can offer you great insight. Think about this:

• Different nmap versions (with possibly different default options)
• Different scanning hosts (on different networks?)
• Different targets! (at least in the google example)

 

[mipam007]

• Different nmap versions (with possibly different default options)

root@bx ~ ->pkg_info -Ix 'nmap'
nmap-5.50           Port scanning utility for large networks

root@ax $ dpkg -l | grep nmap
ii  nmap                                              5.21-1                                     The Network Mapper

• Different scanning hosts (on different networks?)

For this example I used same hosts: google.com and seznam.cz. And yes, I am on different network in this case, but I have same results of nmap output even if I am on same network.

• Different targets! (at least in the google example)

I can use one of the IP of google servers and the result will be same - thus different.

I firmly believe that this behavior is caused by the default setting of nmap. Maybe in manual will be something clear..

 

[SirDice]

Who cares if it's a couple of seconds faster. It's the results that count.

 

[mipam007]

But hey, this is not the answer somehow, right?

 

[anomie]

@SirDice, totally agree in this particular example. But if you need your scans to scale to large numbers (for ongoing networking testing purposes), this is bad. It would be interesting to know why results are ~seconds x 4 on the FreeBSD host.

@mipam007, to troubleshoot this further, I recommend two approaches:

1. Feed nmap explicit options, instead of relying on the defaults. Compare and contrast again.
2. Observe scan activity at the packet level (e.g. tcpdump(1)) to see how behavior differs.

 

[SirDice]

As noted by others, test the same target, preferably on your own network (to avoid any routing differences) and with the same version of Nmap.

 

[wblock@]

Testing on your own network also avoids remote firewall and load-balancing differences. Running an nmap scan of somebody else's system is like checking all the doors and windows on somebody else's house to see if they are locked. Reactions could include blocking or throttling.