> * That's a *FAKE* progress bar. Its purpose is just > * to show users that nmap is still alive, not to > * show the level of completion of a scan
Also: Scanning one or especially many systems is not a linear task. You may hit an old Windows system that in just a few minutes gives a reliable inventory of all 65,535 * 2 ports. However, you are increasingly likely to find systems that implement a throttle on replies to port probes. These smarter IP stacks respond quickly for the first few probes, and then take 11 - 30 hours to complete a full port scan. See http://www.faqs.org/rfcs/rfc1812.html section 4.3.2.8. Personal firewalls, other firewalls and "tar pits" can similarly impede scans. That's their job! Grin, if eventually all targets implement such rate-limiting, then the guess from that progress bar will start to be more reliable; you might even calibrate it in days or weeks. NMAP already does cool things to dynamically adjust to target response; perhaps we can encourage Fyodor to provide an option to report progress. Given these developments that have become more prominent since Nessus and NMAP began, perhaps the NMAP scan status bar is less a pacifier for newbies and more a cruel deceiver. Perhaps instead of an nmap progess bar, Nessus might report for a host, "For this host, previous scan of n ports took m minutes." If I get time (ha!) I'd like to write up strategies on adjusting Nessus timeouts and selecting order of activities for comprehensive scans. Basically this amounts to: - Scout a target range for "slow" hosts. - Carefully experiment with timeouts for Nessus and especially nmap. Timeout is one method of scouting. - For slow hosts, carefully choose one or a sequence of tests of at most five ports per batch. - Spread scanning in host order rather than port order. - As your scanner's memory and OS allows, scan many slow hosts at once. - Exploit the Nessus knowledgebase to minimize re-scans. - When you have a cooperative target, have them temporarily disable their personal firewall with respect to the scan source. -- Greg Johnson, University of Missouri - Columbia
