EffectivenessOfPingProbes

This is documentation of a project to discover the effectiveness of each of Nmap's ping probes, singly and in combination. The object is to improve the default host discovery if possible.

The general strategy is this: Generate a list of test IP addresses. Run several host discovery scans against the addresses using a single ping probe each time. Make a list showing the most effective single probe, the most effective two-probe combination, and so on. Effectiveness is measured as the number of distinct hosts found up (not counting overlaps). Maybe time taken to scan will also be significant.

Scripts used to do the analysis:

Generating the address list

Fyodor and I talked and settled on the following method of generating addresses. Generate addresses with -iR. Do a whois query on each one to find out the size of the network allocation it belongs to. Discard any that belong to one bigger than a /16.

I modified the whois.nse script to produce abbreviated output including only the IP address and netblock size. I called the modified script netrange.nse. Its output looks like

Host 138.73.189.55 is up.

Host script results:
|_ netrange: 138.73.189.55/16

Host 203.194.111.129 is up.

Host script results:
|_ netrange: 203.194.111.129/20

I made a trivial modification to the Nmap to allow using -sP and -PN together, so that I could script scan the addresses without having to ping them or port scan them.

Index: NmapOps.cc
===================================================================
--- NmapOps.cc  (revision 13217)
+++ NmapOps.cc  (working copy)
@@ -372,9 +372,11 @@
    fatal("Sorry, the IPProtoscan, Listscan, and Pingscan (-sO, -sL, -sP) must currently be used alone rather than combined with other scan types.");
  }

+ /*
  if ((pingscan && pingtype == PINGTYPE_NONE)) {
     fatal("-PN (skip ping) is incompatable with -sP (ping scan).  If you only want to enumerate hosts, try list scan (-sL)");
   }
+ */

  if (pingscan && (TCPScan() || UDPScan() || ipprotscan || listscan)) {
    fatal("Ping scan is not valid with any other scan types (the other ones all include a ping scan");

The output of netrange.nse is then filtered into an address list with this Awk script (ping-hosts-filter.awk):

BEGIN {
        MIN_BITS = 16;
}

/^\|_ netrange: [1-9]/ {
        split($3, a, "/");
        addr = a[1];
        bits = a[2];
        if (bits > MIN_BITS) {
                print addr;
        }
}

Preliminary test of 200 addresses (May 4, 2009)

I created an address list:

./nmap --datadir . --script=netrange -PN -sP -iR 1000 -n -oN netrange-1.nmap
awk -f ping-hosts-filter.awk netrange-1.nmap > ping-hosts-prelim

I think the script scan hit a deadlock around host 995 or so, but it was almost done. After filtering, there were 200 addresses in ping-hosts-prelim. I then ran the scans with the following options (65 scans in all):

# Note: All scans used the common options: -sP -n -d2 --max-retries 1 -iL ping-hosts
No options (default ping)
for tcp in 80 23 443 21 22 25 3389 110 445 139 40125 40126
    -PS$tcp
    -PA$tcp
for udp in 631 161 137 123 138 31338 40125 40126
    -PU$udp
    -PU$udp --source-port 53
    -PU$udp --data-length 24
    -PU$udp --source-port 53 --data-length 24
for proto in 1 2 4 6 17 150
    -PO$proto
-PE
-PP
-PM

The results were as follows:

65 probes total:
-PE                 19  86.36%
-PO1                18  81.82%
-PS80               15  68.18%
-PS443              14  63.64%
-PS40125            12  54.55%
-PS40126            12  54.55%
-PS110              12  54.55%
-PS25               12  54.55%
-PS3389             12  54.55%
-PS21               11  50.00%
-PS23               11  50.00%
-PU40125-sp53-dl24  9   40.91%
-PU40125-dl24       9   40.91%
-PU31338-sp53-dl24  9   40.91%
-PS22               9   40.91%
-PU31338-dl24       9   40.91%
-PU40126-sp53-dl24  9   40.91%
-PU631-dl24         9   40.91%
-PU631-sp53-dl24    9   40.91%
-PU123-sp53-dl24    9   40.91%
-PU631-sp53         8   36.36%
-PU40126            8   36.36%
-PU40125-sp53       8   36.36%
-PU31338            8   36.36%
-PO17               8   36.36%
-PU137-sp53-dl24    8   36.36%
-PU631              8   36.36%
-PU123-dl24         8   36.36%
-PU123-sp53         8   36.36%
-PU123              8   36.36%
-PU138-sp53         7   31.82%
-PU138-sp53-dl24    7   31.82%
-PU40126-sp53       7   31.82%
-PU137-sp53         7   31.82%
-PU40126-dl24       7   31.82%
-PU161-sp53-dl24    7   31.82%
-PU161-sp53         7   31.82%
-PU40125            7   31.82%
-PU138-dl24         7   31.82%
-PU31338-sp53       6   27.27%
-PU138              6   27.27%
-PU161              6   27.27%
-PU161-dl24         6   27.27%
-PU137-dl24         6   27.27%
-PS139              5   22.73%
-PU137              5   22.73%
-PS445              5   22.73%
-PO2                4   18.18%
-PP                 4   18.18%
-PM                 2   9.09%
-PA445              0   0.00%
-PO4                0   0.00%
-PO6                0   0.00%
-PA80               0   0.00%
-PO150              0   0.00%
-PA443              0   0.00%
-PA40126            0   0.00%
-PA40125            0   0.00%
-PA3389             0   0.00%
-PA25               0   0.00%
-PA23               0   0.00%
-PA22               0   0.00%
-PA21               0   0.00%
-PA139              0   0.00%
-PA110              0   0.00%
Culled 63 probes.
Maximum possible using 2 remaining probes: 22.
=== 1 probe
* -PE; size 19, 86.36%
  -PS80; size 15, 68.18%
=== 2 probes
* -PE -PS80; size 22, 100.00%

The script kept running, but in this case we can see that we will never get better than the two-probe combination -PE -PS80.

This test was done on a connection that filters ACK probes. For the larger tests I'm going to run scans from several locations.

Scan of 6,492 addresses (May 8, 2009)

These are combined results of scans from four separate network locations.

Maximum possible using all 65 probes: 8883.
-PE                 5752 64.75%
-PO1                5699 64.16%
-PS443              4028 45.35%
-PS80               3956 44.53%
-PS110              3724 41.92%
-PS21               3697 41.62%
-PS22               3626 40.82%
-PS3389             3484 39.22%
-PS40125            3336 37.55%
-PS40126            3334 37.53%
-PP                 3290 37.04%
-PS23               3259 36.69%
-PA80               3033 34.14%
-PA443              2992 33.68%
-PU40125-sp53-dl24  2896 32.60%
-PU40126-sp53-dl24  2885 32.48%
-PA110              2864 32.24%
-PA3389             2852 32.11%
-PA21               2836 31.93%
-PA22               2832 31.88%
-PO6                2822 31.77%
-PA40125            2820 31.75%
-PU31338-sp53-dl24  2819 31.73%
-PA40126            2815 31.69%
-PA23               2707 30.47%
-PU631-sp53-dl24    2703 30.43%
-PU40125-sp53       2700 30.40%
-PU40126-sp53       2688 30.26%
-PU40125-dl24       2681 30.18%
-PU40126-dl24       2661 29.96%
-PU31338-sp53       2634 29.65%
-PS25               2631 29.62%
-PU31338-dl24       2584 29.09%
-PU631-dl24         2555 28.76%
-PU631-sp53         2497 28.11%
-PU40125            2490 28.03%
-PU40126            2473 27.84%
-PU31338            2411 27.14%
-PO17               2379 26.78%
-PU631              2328 26.21%
-PU123-sp53-dl24    2173 24.46%
-PU123-dl24         2084 23.46%
-PS445              2053 23.11%
-PS139              2000 22.51%
-PU123-sp53         1927 21.69%
-PU123              1838 20.69%
-PA25               1784 20.08%
-PA445              1727 19.44%
-PU138-sp53-dl24    1697 19.10%
-PA139              1687 18.99%
-PU161-sp53         1681 18.92%
-PU161-sp53-dl24    1678 18.89%
-PU137-sp53-dl24    1665 18.74%
-PU138-dl24         1617 18.20%
-PU161-dl24         1587 17.87%
-PU137-dl24         1575 17.73%
-PU161              1571 17.69%
-PU138-sp53         1509 16.99%
-PU137-sp53         1483 16.69%
-PU138              1422 16.01%
-PU137              1403 15.79%
-PO2                887 9.99%
-PO150              706 7.95%
-PO4                587 6.61%
-PM                 358 4.03%
=== 1 probe
* -PE; size 5752, 64.75%
  -PO1; size 5699, 64.16%
  -PS443; size 4028, 45.35%
  -PS80; size 3956, 44.53%
  -PS110; size 3724, 41.92%
  -PS21; size 3697, 41.62%
  -PS22; size 3626, 40.82%
  -PS3389; size 3484, 39.22%
  -PS40125; size 3336, 37.55%
  -PS40126; size 3334, 37.53%
=== 2 probes
* -PE -PS443; size 6935, 78.07%
  -PO1 -PS443; size 6896, 77.63%
  -PE -PS80; size 6874, 77.38%
  -PO1 -PS80; size 6831, 76.90%
  -PE -PS21; size 6804, 76.60%
  -PE -PS110; size 6765, 76.16%
  -PE -PS22; size 6762, 76.12%
  -PO1 -PS21; size 6760, 76.10%
  -PE -PA80; size 6746, 75.94%
  -PO1 -PS110; size 6724, 75.70%
=== 3 probes
* -PE -PS443 -PA80; size 7482, 84.23%
  -PO1 -PS443 -PA80; size 7443, 83.79%
  -PE -PS443 -PP; size 7427, 83.61%
  -PE -PS443 -PA3389; size 7426, 83.60%
  -PO1 -PS443 -PP; size 7423, 83.56%
  -PE -PS443 -PA110; size 7395, 83.25%
  -PE -PS21 -PA80; size 7395, 83.25%
  -PE -PS443 -PA22; size 7391, 83.20%
  -PO1 -PS443 -PA3389; size 7390, 83.19%
  -PE -PS443 -PA40125; size 7388, 83.17%
=== 4 probes
* -PE -PS443 -PP -PA80; size 7902, 88.96%
  -PO1 -PS443 -PP -PA80; size 7893, 88.86%
  -PE -PS443 -PP -PA3389; size 7881, 88.72%
  -PO1 -PS443 -PP -PA3389; size 7875, 88.65%
  -PE -PS443 -PP -PA110; size 7851, 88.38%
  -PE -PS443 -PP -PA22; size 7847, 88.34%
  -PO1 -PS443 -PP -PA110; size 7844, 88.30%
  -PE -PS443 -PP -PA40125; size 7842, 88.28%
  -PE -PS443 -PP -PA40126; size 7842, 88.28%
  -PE -PS443 -PP -PA21; size 7840, 88.26%
=== 5 probes
* -PE -PS443 -PP -PA80 -PU40125-sp53-dl24; size 8160, 91.86%
* -PE -PS443 -PP -PA80 -PU40125-sp53; size 8160, 91.86%
  -PE -PS443 -PP -PA80 -PU40126-sp53-dl24; size 8149, 91.74%
  -PE -PS443 -PP -PA80 -PU40126-sp53; size 8149, 91.74%
  -PO1 -PS443 -PP -PA80 -PU40125-sp53; size 8131, 91.53%
  -PO1 -PS443 -PP -PA80 -PU40125-sp53-dl24; size 8129, 91.51%
  -PO1 -PS443 -PP -PA80 -PU40126-sp53; size 8123, 91.44%
  -PE -PS443 -PP -PU40125-sp53-dl24 -PA3389; size 8122, 91.43%
  -PE -PS443 -PP -PA3389 -PU40125-sp53; size 8119, 91.40%
  -PE -PS443 -PP -PU40126-sp53-dl24 -PA3389; size 8115, 91.35%

Large-scale scan with UDP payloads (May 10, 2009)

These are the results of scanning the exact same hosts as before, this time only the UDP ports 53, 123, 135, 137, 161, 500, and 1434. The ping probes were sent with payloads taken from nmap-service-probes. These results were then folded into previous results. The new probes have payload in their names.

There were 762 extra hosts found across the two rounds and four network locations (9625 vs. 8883). Use caution when comparing percentages to those above; these are out of 9625 where those were out of 8883.

The best individual UDP probes are still those to a random high port, with a source port of 53 and a non-empty payload. Even without the source port and payload, the ports 40125 and 40126 that I picked out of the air are better choices than the current default of 31338, finding around 400 additional hosts.

The best probe combinations for 1 and 2 probes are the same as before: -PE and -PE -PS443. Our current default -PE -PA80 is in the top ten for two-probe pings. After that the results are different: combining -PE -PS443 with UDP to port 53 with a DNS payload and a source port of 53 finds 116 additional hosts compared with -PE -PS443 -PA80. Actually, the results are as above, just lagged by one place because of the new -PU53 probe; the next probes to be added are -PA80 and -PP.

Maximum possible using all 79 probes: 9625.
-PE                   5752 59.76%
-PO1                  5699 59.21%
-PS443                4028 41.85%
-PS80                 3956 41.10%
-PS110                3724 38.69%
-PS21                 3697 38.41%
-PS22                 3626 37.67%
-PS3389               3484 36.20%
-PS40125              3336 34.66%
-PS40126              3334 34.64%
-PP                   3290 34.18%
-PS23                 3259 33.86%
-PA80                 3033 31.51%
-PA443                2992 31.09%
-PU40125-sp53-dl24    2896 30.09%
-PU40126-sp53-dl24    2885 29.97%
-PA110                2864 29.76%
-PA3389               2852 29.63%
-PA21                 2836 29.46%
-PA22                 2832 29.42%
-PO6                  2822 29.32%
-PA40125              2820 29.30%
-PU31338-sp53-dl24    2819 29.29%
-PA40126              2815 29.25%
-PA23                 2707 28.12%
-PU631-sp53-dl24      2703 28.08%
-PU40125-sp53         2700 28.05%
-PU40126-sp53         2688 27.93%
-PU40125-dl24         2681 27.85%
-PU40126-dl24         2661 27.65%
-PU31338-sp53         2634 27.37%
-PS25                 2631 27.34%
-PU123-payload-sp53   2627 27.29%
-PU31338-dl24         2584 26.85%
-PU53-payload-sp53    2564 26.64%
-PU123-payload        2555 26.55%
-PU631-dl24           2555 26.55%
-PU53-payload         2507 26.05%
-PU631-sp53           2497 25.94%
-PU40125              2490 25.87%
-PU40126              2473 25.69%
-PU31338              2411 25.05%
-PO17                 2379 24.72%
-PU631                2328 24.19%
-PU1434-payload-sp53  2312 24.02%
-PU500-payload-sp53   2247 23.35%
-PU123-sp53-dl24      2173 22.58%
-PU500-payload        2159 22.43%
-PU1434-payload       2144 22.28%
-PU123-dl24           2084 21.65%
-PS445                2053 21.33%
-PS139                2000 20.78%
-PU161-payload-sp53   1934 20.09%
-PU123-sp53           1927 20.02%
-PU123                1838 19.10%
-PU161-payload        1785 18.55%
-PA25                 1784 18.54%
-PA445                1727 17.94%
-PU135-payload-sp53   1708 17.75%
-PU138-sp53-dl24      1697 17.63%
-PA139                1687 17.53%
-PU161-sp53           1681 17.46%
-PU161-sp53-dl24      1678 17.43%
-PU137-sp53-dl24      1665 17.30%
-PU137-payload-sp53   1650 17.14%
-PU138-dl24           1617 16.80%
-PU135-payload        1613 16.76%
-PU161-dl24           1587 16.49%
-PU137-dl24           1575 16.36%
-PU161                1571 16.32%
-PU137-payload        1550 16.10%
-PU138-sp53           1509 15.68%
-PU137-sp53           1483 15.41%
-PU138                1422 14.77%
-PU137                1403 14.58%
-PO2                  887 9.22%
-PO150                706 7.34%
-PO4                  587 6.10%
-PM                   358 3.72%
=== 1 probe
* -PE; size 5752, 59.76%
  -PO1; size 5699, 59.21%
  -PS443; size 4028, 41.85%
  -PS80; size 3956, 41.10%
  -PS110; size 3724, 38.69%
  -PS21; size 3697, 38.41%
  -PS22; size 3626, 37.67%
  -PS3389; size 3484, 36.20%
  -PS40125; size 3336, 34.66%
  -PS40126; size 3334, 34.64%
=== 2 probes
* -PS443 -PE; size 6935, 72.05%
  -PS443 -PO1; size 6896, 71.65%
  -PS80 -PE; size 6874, 71.42%
  -PS80 -PO1; size 6831, 70.97%
  -PS21 -PE; size 6804, 70.69%
  -PS110 -PE; size 6765, 70.29%
  -PS22 -PE; size 6762, 70.25%
  -PS21 -PO1; size 6760, 70.23%
  -PA80 -PE; size 6746, 70.09%
  -PS110 -PO1; size 6724, 69.86%
=== 3 probes
* -PU53-payload-sp53 -PS443 -PE; size 7598, 78.94%
  -PU53-payload-sp53 -PS443 -PO1; size 7559, 78.54%
  -PU53-payload-sp53 -PS80 -PE; size 7539, 78.33%
  -PU123-payload-sp53 -PS443 -PE; size 7538, 78.32%
  -PU123-payload-sp53 -PS443 -PO1; size 7502, 77.94%
  -PU53-payload-sp53 -PS80 -PO1; size 7496, 77.88%
  -PU123-payload-sp53 -PS80 -PE; size 7486, 77.78%
  -PA80 -PS443 -PE; size 7482, 77.74%
  -PU53-payload-sp53 -PS21 -PE; size 7454, 77.44%
  -PU53-payload -PS443 -PE; size 7447, 77.37%
=== 4 probes
* -PU53-payload-sp53 -PA80 -PS443 -PE; size 8103, 84.19%
  -PU123-payload-sp53 -PA80 -PS443 -PE; size 8064, 83.78%
  -PU53-payload-sp53 -PA80 -PS443 -PO1; size 8062, 83.76%
  -PU53-payload-sp53 -PA3389 -PS443 -PE; size 8040, 83.53%
  -PU53-payload-sp53 -PP -PS443 -PE; size 8031, 83.44%
  -PU123-payload-sp53 -PA80 -PS443 -PO1; size 8026, 83.39%
  -PU53-payload-sp53 -PP -PS443 -PO1; size 8023, 83.36%
  -PU53-payload-sp53 -PA110 -PS443 -PE; size 8009, 83.21%
  -PU53-payload-sp53 -PA40125 -PS443 -PE; size 8003, 83.15%
  -PU53-payload-sp53 -PA21 -PS443 -PE; size 8002, 83.14%
=== 5 probes
* -PU53-payload-sp53 -PA80 -PP -PS443 -PE; size 8487, 88.18%
  -PU53-payload-sp53 -PA80 -PP -PS443 -PO1; size 8474, 88.04%
  -PU53-payload-sp53 -PA3389 -PP -PS443 -PE; size 8459, 87.89%
  -PU123-payload-sp53 -PA80 -PP -PS443 -PE; size 8458, 87.88%
  -PU53-payload-sp53 -PA3389 -PP -PS443 -PO1; size 8450, 87.79%
  -PU123-payload-sp53 -PA80 -PP -PS443 -PO1; size 8447, 87.76%
  -PU53-payload-sp53 -PA110 -PP -PS443 -PE; size 8429, 87.57%
  -PU123-payload-sp53 -PA3389 -PP -PS443 -PE; size 8422, 87.50%
  -PU53-payload-sp53 -PA21 -PP -PS443 -PE; size 8422, 87.50%
  -PU53-payload-sp53 -PA22 -PP -PS443 -PE; size 8422, 87.50%
=== 6 probes
When I killed the script, the best 6-probe combination was
  -PU53-payload-sp53 -PA3389 -PP -PS80 -PS443 -PE; size 8669, 90.07%
=== 7 probes
When I killed the script, the best 7-probe combination was
  -PU161-payload-sp53 -PU53-payload-sp53 -PA3389 -PP -PS80 -PS443 -PE; size 8847, 91.92%

Effect of ACK filtering

One of the four scanning hosts above filters outgoing ACK packets, so all the -PA probes find 0 hosts. I was curious whether -PS443 would continue to be better than -PA80 in the absence of this filtering. I ran another analysis, excluding the filtered host. -PE -PA80 became the best two-probe combination. -PE -PS443 is still in the top ten, but finds 128 fewer hosts.

Maximum possible using all 79 probes: 7276.
-PE                   4364 59.98%
-PO1                  4320 59.37%
-PS443                3064 42.11%
-PA80                 3033 41.68%
-PS80                 3018 41.48%
-PA443                2992 41.12%
-PA110                2864 39.36%
-PA3389               2852 39.20%
-PA21                 2836 38.98%
-PS110                2834 38.95%
-PA22                 2832 38.92%
-PO6                  2822 38.79%
-PA40125              2820 38.76%
-PS21                 2817 38.72%
-PA40126              2815 38.69%
-PS22                 2767 38.03%
-PA23                 2707 37.20%
-PS3389               2670 36.70%
-PS40125              2567 35.28%
-PS40126              2561 35.20%
-PP                   2530 34.77%
-PS23                 2486 34.17%
-PU40125-sp53-dl24    2209 30.36%
-PU40126-sp53-dl24    2206 30.32%
-PU31338-sp53-dl24    2153 29.59%
-PU40125-dl24         2076 28.53%
-PU40125-sp53         2066 28.39%
-PU631-sp53-dl24      2059 28.30%
-PU40126-dl24         2059 28.30%
-PU40126-sp53         2058 28.28%
-PU31338-sp53         2015 27.69%
-PU31338-dl24         2011 27.64%
-PU123-payload-sp53   1972 27.10%
-PU631-dl24           1960 26.94%
-PU53-payload-sp53    1948 26.77%
-PU123-payload        1938 26.64%
-PU40125              1915 26.32%
-PU53-payload         1906 26.20%
-PU40126              1905 26.18%
-PU631-sp53           1903 26.15%
-PU31338              1863 25.60%
-PO17                 1832 25.18%
-PS25                 1791 24.62%
-PA25                 1784 24.52%
-PU631                1783 24.51%
-PU1434-payload-sp53  1731 23.79%
-PA445                1727 23.74%
-PU500-payload-sp53   1702 23.39%
-PA139                1687 23.19%
-PU123-sp53-dl24      1684 23.14%
-PU500-payload        1638 22.51%
-PU1434-payload       1625 22.33%
-PU123-dl24           1616 22.21%
-PS445                1567 21.54%
-PS139                1524 20.95%
-PU123-sp53           1483 20.38%
-PU161-payload-sp53   1451 19.94%
-PU123                1421 19.53%
-PU161-payload        1352 18.58%
-PU135-payload-sp53   1301 17.88%
-PU138-sp53-dl24      1291 17.74%
-PU161-sp53-dl24      1277 17.55%
-PU161-sp53           1272 17.48%
-PU137-sp53-dl24      1267 17.41%
-PU137-payload-sp53   1246 17.12%
-PU161-dl24           1234 16.96%
-PU138-dl24           1231 16.92%
-PU135-payload        1228 16.88%
-PU161                1223 16.81%
-PU137-dl24           1218 16.74%
-PU137-payload        1182 16.25%
-PU138-sp53           1155 15.87%
-PU137-sp53           1139 15.65%
-PU138                1097 15.08%
-PU137                1086 14.93%
-PO150                706 9.70%
-PO2                  682 9.37%
-PO4                  587 8.07%
-PM                   279 3.83%
=== 1 probe
* -PE; size 4364, 59.98%
  -PO1; size 4320, 59.37%
  -PS443; size 3064, 42.11%
  -PA80; size 3033, 41.68%
  -PS80; size 3018, 41.48%
  -PA443; size 2992, 41.12%
  -PA110; size 2864, 39.36%
  -PA3389; size 2852, 39.20%
  -PA21; size 2836, 38.98%
  -PS110; size 2834, 38.95%
=== 2 probes
* -PA80 -PE; size 5358, 73.64%
  -PA80 -PO1; size 5320, 73.12%
  -PA443 -PE; size 5309, 72.97%
  -PA443 -PO1; size 5274, 72.48%
  -PA21 -PE; size 5237, 71.98%
  -PA3389 -PE; size 5234, 71.94%
  -PA22 -PE; size 5232, 71.91%
  -PS443 -PE; size 5230, 71.88%
  -PA110 -PE; size 5219, 71.73%
  -PA21 -PO1; size 5204, 71.52%
=== 3 probes
* -PU53-payload-sp53 -PA80 -PE; size 5847, 80.36%
  -PU123-payload-sp53 -PA80 -PE; size 5823, 80.03%
  -PU53-payload-sp53 -PA80 -PO1; size 5812, 79.88%
  -PU53-payload-sp53 -PA443 -PE; size 5794, 79.63%
  -PU123-payload-sp53 -PA80 -PO1; size 5787, 79.54%
  -PA80 -PS443 -PE; size 5777, 79.40%
  -PU123-payload-sp53 -PA443 -PE; size 5771, 79.32%
  -PU123-payload -PA80 -PE; size 5765, 79.23%
  -PU1434-payload-sp53 -PA80 -PE; size 5762, 79.19%
  -PU53-payload-sp53 -PA443 -PO1; size 5762, 79.19%

Subset Union

Given a family F of sets and nonnegative integers n and k, is there a subfamily of F of size at most k whose union has size at least n?

Subset Union is NP-complete

First, Subset Union is in NP. Given a subset S of F, we can in polynomial time verify that the size of S does not exceed k and that the size of the union of all of S is at least n.

We now show that Set Cover is reducible in polynomial time to Subset Union. Given an instance of Set Cover, construct a family F using the sets of set cover. Let k be the desired number of sets from Set Cover, and set n to the size of the the family U in set cover.

Now, a set is covered by a subfamily of size at most k if and only if there is a subset union of F of size at most k whose union has size at least n. If a set is covered by a subfamily of size at most k, then the union of the subfamily has the same size as the set; i.e., n. If there is a subset union of F of size at most k whose union has size at least n, then the subfamily of F also covers U, which has n elements. ∎

Large scan with UDP payloads and SCTP ping (May 25, 2009)

This was a large scan using 90 different ping probes, including all those tested so far, plus additional payloads for DNS and SNMP, and -PY ping from the SCTP branch. This scan was done on the same 6,492 addresses on the same four scanning hosts.

Surprisingly, the UDP payload probes did not do as well this time. Before, port 53 with a payload was in the best combination for 3 probes; this time not probe with a payload even placed in the top ten. They do appear among the top results for 5 and 6 probes.

For some reason, fewer hosts were found overall this time around (9023 vs. 9625), even with the additional probes. I guess that is because of network variance over the past 15 days. Another possibility is that merging the SCTP changes affected other aspects of scanning somehow. Even the normal probes like -PE and -PS were decreased in this round.

Maximum possible using all 90 probes: 9023.
-PE                    5553 61.54%
-PO1                   5500 60.96%
-PS443                 3914 43.38%
-PS80                  3751 41.57%
-PS110                 3571 39.58%
-PS21                  3491 38.69%
-PS22                  3412 37.81%
-PS3389                3315 36.74%
-PP                    3213 35.61%
-PS40125               3190 35.35%
-PS40126               3175 35.19%
-PS23                  3087 34.21%
-PA80                  2899 32.13%
-PA443                 2881 31.93%
-PU40125-sp53-dl24     2727 30.22%
-PA110                 2723 30.18%
-PU40126-sp53-dl24     2708 30.01%
-PA3389                2708 30.01%
-PA40125               2685 29.76%
-PA40126               2675 29.65%
-PA22                  2672 29.61%
-PO6                   2666 29.55%
-PA21                  2654 29.41%
-PU31338-sp53-dl24     2641 29.27%
-PS25                  2582 28.62%
-PA23                  2581 28.60%
-PU123-payload1-sp53   2570 28.48%
-PU631-sp53-dl24       2561 28.38%
-PU40125-sp53          2531 28.05%
-PU40126-sp53          2529 28.03%
-PU40125-dl24          2510 27.82%
-PU40126-dl24          2506 27.77%
-PU123-payload1        2490 27.60%
-PU53-payload2-sp53    2471 27.39%
-PU53-payload2         2453 27.19%
-PU31338-sp53          2450 27.15%
-PU31338-dl24          2420 26.82%
-PU53-payload1-sp53    2404 26.64%
-PU631-dl24            2376 26.33%
-PU631-sp53            2370 26.27%
-PU53-payload1         2349 26.03%
-PU1434-payload1-sp53  2329 25.81%
-PU161-payload2-sp53   2326 25.78%
-PU40125               2320 25.71%
-PU40126               2304 25.53%
-PU500-payload1-sp53   2270 25.16%
-PO17                  2232 24.74%
-PU31338               2223 24.64%
-PU1434-payload1       2189 24.26%
-PY                    2186 24.23%
-PU161-payload2        2185 24.22%
-PU631                 2184 24.20%
-PU500-payload1        2180 24.16%
-PU53-sp53-dl24        2156 23.89%
-PU53-sp53             2110 23.38%
-PU53-dl24             2082 23.07%
-PU123-sp53-dl24       2018 22.37%
-PS445                 2010 22.28%
-PU123-dl24            1978 21.92%
-PU53                  1955 21.67%
-PS139                 1945 21.56%
-PU161-payload1-sp53   1911 21.18%
-PU123-sp53            1835 20.34%
-PU161-payload1        1789 19.83%
-PU123                 1723 19.10%
-PA25                  1721 19.07%
-PA445                 1682 18.64%
-PU135-payload1-sp53   1651 18.30%
-PU135-payload2-sp53   1643 18.21%
-PA139                 1619 17.94%
-PU161-sp53            1605 17.79%
-PU161-sp53-dl24       1597 17.70%
-PU137-payload1-sp53   1596 17.69%
-PU135-payload2        1545 17.12%
-PU135-payload1        1542 17.09%
-PU138-sp53-dl24       1536 17.02%
-PU137-sp53-dl24       1514 16.78%
-PU137-payload1        1497 16.59%
-PU161-dl24            1481 16.41%
-PU161                 1481 16.41%
-PU138-dl24            1456 16.14%
-PU137-dl24            1424 15.78%
-PU138-sp53            1377 15.26%
-PU137-sp53            1345 14.91%
-PU138                 1293 14.33%
-PU137                 1260 13.96%
-PO2                   792 8.78%
-PO150                 605 6.71%
-PO4                   482 5.34%
-PM                    368 4.08%
=== 1 probe; found in 0:00:00.
* -PE; size 5553, 61.54%
  -PO1; size 5500, 60.96%
  -PS443; size 3914, 43.38%
  -PS80; size 3751, 41.57%
  -PS110; size 3571, 39.58%
  -PS21; size 3491, 38.69%
  -PS22; size 3412, 37.81%
  -PS3389; size 3315, 36.74%
  -PP; size 3213, 35.61%
  -PS40125; size 3190, 35.35%
=== 2 probes; found in 0:00:00.
* -PE -PS443; size 6777, 75.11%
  -PO1 -PS443; size 6724, 74.52%
  -PE -PS80; size 6663, 73.84%
  -PO1 -PS80; size 6609, 73.25%
  -PE -PS21; size 6605, 73.20%
  -PE -PS110; size 6580, 72.92%
  -PE -PA80; size 6567, 72.78%
  -PO1 -PS21; size 6554, 72.64%
  -PE -PS22; size 6544, 72.53%
  -PO1 -PS110; size 6520, 72.26%
=== 3 probes; found in 0:00:01.
* -PE -PS443 -PA80; size 7318, 81.10%
  -PE -PS443 -PP; size 7311, 81.03%
  -PO1 -PS443 -PP; size 7277, 80.65%
  -PO1 -PS443 -PA80; size 7264, 80.51%
  -PE -PS443 -PA3389; size 7241, 80.25%
  -PE -PS443 -PA110; size 7228, 80.11%
  -PE -PS21 -PA80; size 7225, 80.07%
  -PE -PS443 -PA21; size 7220, 80.02%
  -PE -PS443 -PA40125; size 7219, 80.01%
  -PE -PS443 -PA40126; size 7216, 79.97%
=== 4 probes; found in 0:00:13.
* -PE -PS443 -PP -PA80; size 7778, 86.20%
  -PO1 -PS443 -PP -PA80; size 7745, 85.84%
  -PE -PS443 -PP -PA3389; size 7735, 85.73%
  -PE -PS443 -PP -PA110; size 7722, 85.58%
  -PE -PS443 -PP -PA21; size 7714, 85.49%
  -PE -PS443 -PP -PA40125; size 7713, 85.48%
  -PE -PS443 -PP -PA40126; size 7710, 85.45%
  -PE -PS443 -PP -PA22; size 7705, 85.39%
  -PO1 -PS443 -PP -PA3389; size 7703, 85.37%
  -PE -PS443 -PP -PO6; size 7700, 85.34%
=== 5 probes; found in 0:04:00.
* -PO1 -PS443 -PP -PA80 -PY; size 8028, 88.97%
  -PE -PS443 -PP -PA80 -PU40125-sp53-dl24; size 8005, 88.72%
  -PE -PS443 -PP -PA80 -PU40125-sp53; size 8005, 88.72%
  -PE -PS443 -PP -PA80 -PU161-payload2-sp53; size 8005, 88.72%
  -PE -PS443 -PP -PA80 -PU40126-sp53-dl24; size 8004, 88.71%
  -PE -PS443 -PP -PA80 -PU53-payload1-sp53; size 8001, 88.67%
  -PE -PS443 -PP -PA80 -PY; size 8000, 88.66%
  -PE -PS443 -PP -PA80 -PU53-payload2-sp53; size 8000, 88.66%
  -PE -PS443 -PP -PA80 -PU40126-sp53; size 7996, 88.62%
  -PO1 -PS443 -PP -PA3389 -PY; size 7977, 88.41%
=== 6 probes; found in 0:56:43.
* -PO1 -PS443 -PP -PA80 -PU40125-sp53-dl24 -PY; size 8214, 91.03%
  -PO1 -PS443 -PP -PA80 -PU40126-sp53-dl24 -PY; size 8211, 91.00%
  -PO1 -PS443 -PP -PA80 -PU40125-sp53 -PY; size 8211, 91.00%
  -PO1 -PS443 -PP -PA80 -PU40126-sp53 -PY; size 8207, 90.96%
  -PO1 -PS443 -PP -PA80 -PU53-payload1-sp53 -PY; size 8203, 90.91%
  -PO1 -PS443 -PP -PA80 -PU53-payload2-sp53 -PY; size 8200, 90.88%
  -PE -PS443 -PP -PA80 -PU40125-sp53 -PY; size 8188, 90.75%
  -PE -PS443 -PP -PA80 -PU40126-sp53-dl24 -PY; size 8187, 90.73%
  -PE -PS443 -PP -PA80 -PU40125-sp53-dl24 -PY; size 8187, 90.73%
  -PE -PS443 -PP -PA80 -PU53-payload1-sp53 -PY; size 8184, 90.70%
=== 7 probes
When I killed the script, the best was
-PE -PS443 -PS80 -PP -PA3389 -PU40125-sp53 -PY (8337).

Exclusion of ACK-filtered host

Here are the results without the host that filters ACKs.

Maximum possible using all 90 probes: 6768.
-PE                    4185 61.84%
-PO1                   4145 61.24%
-PS443                 2959 43.72%
-PA80                  2899 42.83%
-PA443                 2881 42.57%
-PS80                  2845 42.04%
-PA110                 2723 40.23%
-PA3389                2708 40.01%
-PS110                 2707 40.00%
-PA40125               2685 39.67%
-PA40126               2675 39.52%
-PA22                  2672 39.48%
-PO6                   2666 39.39%
-PS21                  2654 39.21%
-PA21                  2654 39.21%
-PS22                  2596 38.36%
-PA23                  2581 38.14%
-PS3389                2512 37.12%
-PP                    2456 36.29%
-PS40125               2419 35.74%
-PS40126               2409 35.59%
-PS23                  2344 34.63%
-PU40125-sp53-dl24     2088 30.85%
-PU40126-sp53-dl24     2064 30.50%
-PU31338-sp53-dl24     2007 29.65%
-PU631-sp53-dl24       1946 28.75%
-PU123-payload1-sp53   1943 28.71%
-PU40125-sp53          1936 28.61%
-PU40126-sp53          1932 28.55%
-PU40125-dl24          1919 28.35%
-PU40126-dl24          1912 28.25%
-PU123-payload1        1899 28.06%
-PU53-payload2-sp53    1878 27.75%
-PU53-payload2         1875 27.70%
-PU31338-sp53          1866 27.57%
-PU31338-dl24          1853 27.38%
-PU53-payload1-sp53    1820 26.89%
-PU631-dl24            1819 26.88%
-PU631-sp53            1803 26.64%
-PU53-payload1         1797 26.55%
-PU1434-payload1-sp53  1769 26.14%
-PU40125               1767 26.11%
-PU40126               1764 26.06%
-PU161-payload2-sp53   1753 25.90%
-PS25                  1748 25.83%
-PU500-payload1-sp53   1722 25.44%
-PA25                  1721 25.43%
-PU31338               1698 25.09%
-PO17                  1697 25.07%
-PA445                 1682 24.85%
-PU1434-payload1       1678 24.79%
-PU161-payload2        1667 24.63%
-PU500-payload1        1665 24.60%
-PU631                 1655 24.45%
-PY                    1644 24.29%
-PA139                 1619 23.92%
-PU53-sp53-dl24        1618 23.91%
-PU53-sp53             1604 23.70%
-PU53-dl24             1581 23.36%
-PS445                 1542 22.78%
-PU123-sp53-dl24       1539 22.74%
-PU123-dl24            1518 22.43%
-PU53                  1487 21.97%
-PS139                 1473 21.76%
-PU161-payload1-sp53   1454 21.48%
-PU123-sp53            1398 20.66%
-PU161-payload1        1373 20.29%
-PU123                 1326 19.59%
-PU135-payload2-sp53   1252 18.50%
-PU135-payload1-sp53   1252 18.50%
-PU161-sp53            1227 18.13%
-PU161-sp53-dl24       1215 17.95%
-PU137-payload1-sp53   1214 17.94%
-PU135-payload2        1186 17.52%
-PU135-payload1        1183 17.48%
-PU138-sp53-dl24       1163 17.18%
-PU137-sp53-dl24       1148 16.96%
-PU137-payload1        1145 16.92%
-PU161-dl24            1141 16.86%
-PU161                 1138 16.81%
-PU138-dl24            1107 16.36%
-PU137-dl24            1081 15.97%
-PU138-sp53            1037 15.32%
-PU137-sp53            1021 15.09%
-PU138                 975 14.41%
-PU137                 968 14.30%
-PO2                   609 9.00%
-PO150                 605 8.94%
-PO4                   482 7.12%
-PM                    282 4.17%
=== 1 probe; found in 0:00:00.
* -PE; size 4185, 61.84%
  -PO1; size 4145, 61.24%
  -PS443; size 2959, 43.72%
  -PA80; size 2899, 42.83%
  -PA443; size 2881, 42.57%
  -PS80; size 2845, 42.04%
  -PA110; size 2723, 40.23%
  -PA3389; size 2708, 40.01%
  -PS110; size 2707, 40.00%
  -PA40125; size 2685, 39.67%
=== 2 probes; found in 0:00:00.
* -PE -PA80; size 5199, 76.82%
  -PO1 -PA80; size 5163, 76.29%
  -PE -PA443; size 5145, 76.02%
  -PO1 -PA443; size 5110, 75.50%
  -PE -PS443; size 5075, 74.99%
  -PE -PA21; size 5057, 74.72%
  -PE -PA22; size 5049, 74.60%
  -PO1 -PS443; size 5048, 74.59%
  -PE -PA3389; size 5046, 74.56%
  -PE -PA110; size 5046, 74.56%
=== 3 probes; found in 0:00:00.
* -PE -PS443 -PA80; size 5616, 82.98%
  -PO1 -PS443 -PA80; size 5588, 82.57%
  -PE -PA80 -PS21; size 5578, 82.42%
  -PE -PA80 -PS110; size 5555, 82.08%
  -PO1 -PA80 -PS21; size 5542, 81.89%
  -PE -PS443 -PA3389; size 5539, 81.84%
  -PE -PA80 -PS22; size 5534, 81.77%
  -PE -PA80 -PP; size 5527, 81.66%
  -PE -PS443 -PA110; size 5526, 81.65%
  -PO1 -PA80 -PS110; size 5525, 81.63%
=== 4 probes; found in 0:00:11.
* -PE -PS443 -PA80 -PP; size 5938, 87.74%
  -PO1 -PS443 -PA80 -PP; size 5921, 87.49%
  -PE -PA80 -PS21 -PP; size 5899, 87.16%
  -PE -PS443 -PA3389 -PP; size 5895, 87.10%
  -PE -PS443 -PA110 -PP; size 5882, 86.91%
  -PO1 -PS443 -PA3389 -PP; size 5879, 86.86%
  -PO1 -PA80 -PS21 -PP; size 5876, 86.82%
  -PE -PA80 -PS110 -PP; size 5875, 86.81%
  -PE -PS443 -PA21 -PP; size 5874, 86.79%
  -PE -PS443 -PA40125 -PP; size 5873, 86.78%
=== 5 probes; found in 0:03:07.
* -PO1 -PS443 -PA80 -PP -PY; size 6121, 90.44%
  -PE -PS443 -PA80 -PP -PU161-payload2-sp53; size 6106, 90.22%
  -PE -PS443 -PA80 -PP -PY; size 6105, 90.20%
  -PE -PS443 -PA80 -PP -PU40125-sp53-dl24; size 6105, 90.20%
  -PE -PS443 -PA80 -PP -PU40125-sp53; size 6104, 90.19%
  -PE -PS443 -PA80 -PP -PU53-payload2-sp53; size 6103, 90.17%
  -PE -PS443 -PA80 -PP -PU40126-sp53-dl24; size 6103, 90.17%
  -PE -PS443 -PA80 -PP -PU53-payload1-sp53; size 6100, 90.13%
  -PE -PS443 -PA80 -PP -PU40126-sp53; size 6099, 90.12%
  -PO1 -PS443 -PA80 -PP -PU40125-sp53-dl24; size 6089, 89.97%
=== 6 probes; found in 0:44:07.
* -PO1 -PS443 -PA80 -PP -PU40125-sp53-dl24 -PY; size 6257, 92.45%
  -PO1 -PS443 -PA80 -PP -PU40125-sp53 -PY; size 6255, 92.42%
  -PO1 -PS443 -PA80 -PP -PU40126-sp53-dl24 -PY; size 6254, 92.41%
  -PO1 -PS443 -PA80 -PP -PU40126-sp53 -PY; size 6252, 92.38%
  -PO1 -PS443 -PA80 -PP -PU53-payload2-sp53 -PY; size 6249, 92.33%
  -PO1 -PS443 -PA80 -PP -PU53-payload1-sp53 -PY; size 6248, 92.32%
  -PE -PS443 -PA80 -PP -PU40125-sp53-dl24 -PY; size 6241, 92.21%
  -PE -PS443 -PA80 -PP -PU40125-sp53 -PY; size 6240, 92.20%
  -PE -PS443 -PA80 -PP -PU53-payload2-sp53 -PY; size 6239, 92.18%
  -PE -PS443 -PA80 -PP -PU40126-sp53-dl24 -PY; size 6239, 92.18%
=== 7 probes; found in 8:56:44.
* -PO1 -PS443 -PS80 -PA3389 -PP -PU40125-sp53-dl24 -PY; size 6338, 93.65%
* -PO1 -PS443 -PS80 -PA3389 -PP -PU40125-sp53 -PY; size 6338, 93.65%
  -PO1 -PS443 -PS80 -PA3389 -PP -PU40126-sp53-dl24 -PY; size 6335, 93.60%
  -PO1 -PS443 -PS80 -PA3389 -PP -PU40126-sp53 -PY; size 6335, 93.60%
  -PO1 -PS443 -PA80 -PP -PU40125-sp53-dl24 -PU161-payload2-sp53 -PY; size 6330, 93.53%
  -PO1 -PS443 -PS80 -PA21 -PP -PU40125-sp53-dl24 -PY; size 6329, 93.51%
  -PO1 -PS443 -PS80 -PA3389 -PP -PU53-payload2-sp53 -PY; size 6328, 93.50%
  -PO1 -PS443 -PS80 -PA21 -PP -PU40125-sp53 -PY; size 6328, 93.50%
  -PO1 -PS443 -PA80 -PP -PU40125-sp53 -PU161-payload2-sp53 -PY; size 6328, 93.50%
  -PO1 -PS443 -PS80 -PA3389 -PP -PU53-payload1-sp53 -PY; size 6326, 93.47%
=== 8 probes
When I killed the script, the best was
-PO1 -PS443 -PS80 -PA3389 -PP -PU40125-sp53-dl24 -PU161-payload2-sp53 -PY (6410).
=== 9 probes
When I killed the script, the best was
-PE -PO1 -PS443 -PS80 -PA3389 -PP -PU40125-sp53-dl24 -PU161-payload2-sp53 -PY (6428).

Exclusion of SCTP ping

The -PY SCTP ping joins the best combinations at size 5. Here are the results without it.

Maximum possible using all 89 probes: 8925.
-PE                    5553 62.22%
-PO1                   5500 61.62%
-PS443                 3914 43.85%
-PS80                  3751 42.03%
-PS110                 3571 40.01%
-PS21                  3491 39.11%
-PS22                  3412 38.23%
-PS3389                3315 37.14%
-PP                    3213 36.00%
-PS40125               3190 35.74%
-PS40126               3175 35.57%
-PS23                  3087 34.59%
-PA80                  2899 32.48%
-PA443                 2881 32.28%
-PU40125-sp53-dl24     2727 30.55%
-PA110                 2723 30.51%
-PU40126-sp53-dl24     2708 30.34%
-PA3389                2708 30.34%
-PA40125               2685 30.08%
-PA40126               2675 29.97%
-PA22                  2672 29.94%
-PO6                   2666 29.87%
-PA21                  2654 29.74%
-PU31338-sp53-dl24     2641 29.59%
-PS25                  2582 28.93%
-PA23                  2581 28.92%
-PU123-payload1-sp53   2570 28.80%
-PU631-sp53-dl24       2561 28.69%
-PU40125-sp53          2531 28.36%
-PU40126-sp53          2529 28.34%
-PU40125-dl24          2510 28.12%
-PU40126-dl24          2506 28.08%
-PU123-payload1        2490 27.90%
-PU53-payload2-sp53    2471 27.69%
-PU53-payload2         2453 27.48%
-PU31338-sp53          2450 27.45%
-PU31338-dl24          2420 27.11%
-PU53-payload1-sp53    2404 26.94%
-PU631-dl24            2376 26.62%
-PU631-sp53            2370 26.55%
-PU53-payload1         2349 26.32%
-PU1434-payload1-sp53  2329 26.10%
-PU161-payload2-sp53   2326 26.06%
-PU40125               2320 25.99%
-PU40126               2304 25.82%
-PU500-payload1-sp53   2270 25.43%
-PO17                  2232 25.01%
-PU31338               2223 24.91%
-PU1434-payload1       2189 24.53%
-PU161-payload2        2185 24.48%
-PU631                 2184 24.47%
-PU500-payload1        2180 24.43%
-PU53-sp53-dl24        2156 24.16%
-PU53-sp53             2110 23.64%
-PU53-dl24             2082 23.33%
-PU123-sp53-dl24       2018 22.61%
-PS445                 2010 22.52%
-PU123-dl24            1978 22.16%
-PU53                  1955 21.90%
-PS139                 1945 21.79%
-PU161-payload1-sp53   1911 21.41%
-PU123-sp53            1835 20.56%
-PU161-payload1        1789 20.04%
-PU123                 1723 19.31%
-PA25                  1721 19.28%
-PA445                 1682 18.85%
-PU135-payload1-sp53   1651 18.50%
-PU135-payload2-sp53   1643 18.41%
-PA139                 1619 18.14%
-PU161-sp53            1605 17.98%
-PU161-sp53-dl24       1597 17.89%
-PU137-payload1-sp53   1596 17.88%
-PU135-payload2        1545 17.31%
-PU135-payload1        1542 17.28%
-PU138-sp53-dl24       1536 17.21%
-PU137-sp53-dl24       1514 16.96%
-PU137-payload1        1497 16.77%
-PU161-dl24            1481 16.59%
-PU161                 1481 16.59%
-PU138-dl24            1456 16.31%
-PU137-dl24            1424 15.96%
-PU138-sp53            1377 15.43%
-PU137-sp53            1345 15.07%
-PU138                 1293 14.49%
-PU137                 1260 14.12%
-PO2                   792 8.87%
-PO150                 605 6.78%
-PO4                   482 5.40%
-PM                    368 4.12%
=== 1 probe; found in 0:00:00.
* -PE; size 5553, 62.22%
  -PO1; size 5500, 61.62%
  -PS443; size 3914, 43.85%
  -PS80; size 3751, 42.03%
  -PS110; size 3571, 40.01%
  -PS21; size 3491, 39.11%
  -PS22; size 3412, 38.23%
  -PS3389; size 3315, 37.14%
  -PP; size 3213, 36.00%
  -PS40125; size 3190, 35.74%
=== 2 probes; found in 0:00:00.
* -PE -PS443; size 6777, 75.93%
  -PO1 -PS443; size 6724, 75.34%
  -PE -PS80; size 6663, 74.66%
  -PO1 -PS80; size 6609, 74.05%
  -PE -PS21; size 6605, 74.01%
  -PE -PS110; size 6580, 73.73%
  -PE -PA80; size 6567, 73.58%
  -PO1 -PS21; size 6554, 73.43%
  -PE -PS22; size 6544, 73.32%
  -PO1 -PS110; size 6520, 73.05%
=== 3 probes; found in 0:00:00.
* -PE -PS443 -PA80; size 7318, 81.99%
  -PE -PS443 -PP; size 7311, 81.92%
  -PO1 -PS443 -PP; size 7277, 81.54%
  -PO1 -PS443 -PA80; size 7264, 81.39%
  -PE -PS443 -PA3389; size 7241, 81.13%
  -PE -PS443 -PA110; size 7228, 80.99%
  -PE -PS21 -PA80; size 7225, 80.95%
  -PE -PS443 -PA21; size 7220, 80.90%
  -PE -PS443 -PA40125; size 7219, 80.89%
  -PE -PS443 -PA40126; size 7216, 80.85%
=== 4 probes; found in 0:00:13.
* -PE -PS443 -PP -PA80; size 7778, 87.15%
  -PO1 -PS443 -PP -PA80; size 7745, 86.78%
  -PE -PS443 -PP -PA3389; size 7735, 86.67%
  -PE -PS443 -PP -PA110; size 7722, 86.52%
  -PE -PS443 -PP -PA21; size 7714, 86.43%
  -PE -PS443 -PP -PA40125; size 7713, 86.42%
  -PE -PS443 -PP -PA40126; size 7710, 86.39%
  -PE -PS443 -PP -PA22; size 7705, 86.33%
  -PO1 -PS443 -PP -PA3389; size 7703, 86.31%
  -PE -PS443 -PP -PO6; size 7700, 86.27%
=== 5 probes; found in 0:03:50.
* -PE -PS443 -PP -PA80 -PU40125-sp53-dl24; size 8005, 89.69%
* -PE -PS443 -PP -PA80 -PU40125-sp53; size 8005, 89.69%
* -PE -PS443 -PP -PA80 -PU161-payload2-sp53; size 8005, 89.69%
  -PE -PS443 -PP -PA80 -PU40126-sp53-dl24; size 8004, 89.68%
  -PE -PS443 -PP -PA80 -PU53-payload1-sp53; size 8001, 89.65%
  -PE -PS443 -PP -PA80 -PU53-payload2-sp53; size 8000, 89.64%
  -PE -PS443 -PP -PA80 -PU40126-sp53; size 7996, 89.59%
  -PO1 -PS443 -PP -PA80 -PU40125-sp53-dl24; size 7973, 89.33%
  -PO1 -PS443 -PP -PA80 -PU40126-sp53-dl24; size 7968, 89.28%
  -PO1 -PS443 -PP -PA80 -PU40125-sp53; size 7968, 89.28%
=== 6 probes; found in 0:52:47.
* -PE -PS443 -PS80 -PP -PA3389 -PU161-payload2-sp53; size 8160, 91.43%
  -PE -PS443 -PS80 -PP -PU40126-sp53-dl24 -PA3389; size 8156, 91.38%
  -PE -PS443 -PS80 -PP -PU40125-sp53-dl24 -PA3389; size 8156, 91.38%
  -PE -PS443 -PS80 -PP -PA3389 -PU40125-sp53; size 8156, 91.38%
  -PE -PS443 -PP -PA80 -PU40125-sp53-dl24 -PU161-payload2-sp53; size 8153, 91.35%
  -PE -PS443 -PS80 -PP -PA3389 -PU40126-sp53; size 8150, 91.32%
  -PE -PS443 -PP -PA80 -PU40125-sp53 -PU161-payload2-sp53; size 8149, 91.31%
  -PE -PS443 -PS80 -PP -PA21 -PU161-payload2-sp53; size 8147, 91.28%
  -PE -PS443 -PP -PA80 -PU53-payload1-sp53 -PU161-payload2-sp53; size 8147, 91.28%
  -PE -PS443 -PP -PA80 -PU40126-sp53-dl24 -PU161-payload2-sp53; size 8146, 91.27%
=== 7 probes; found in 10:33:58.
* -PE -PS443 -PS80 -PP -PU40125-sp53-dl24 -PA3389 -PU161-payload2-sp53; size 8302, 93.02%
  -PE -PS443 -PS80 -PP -PA3389 -PU40125-sp53 -PU161-payload2-sp53; size 8299, 92.99%
  -PE -PS443 -PS80 -PP -PU40126-sp53-dl24 -PA3389 -PU161-payload2-sp53; size 8295, 92.94%   
  -PE -PS443 -PS80 -PP -PA3389 -PU40126-sp53 -PU161-payload2-sp53; size 8294, 92.93%
  -PE -PS443 -PS80 -PP -PU40125-sp53-dl24 -PA21 -PU161-payload2-sp53; size 8292, 92.91%
  -PE -PS443 -PS80 -PP -PA3389 -PU53-payload1-sp53 -PU161-payload2-sp53; size 8289, 92.87%  
  -PE -PS443 -PS80 -PP -PU40125-sp53-dl24 -PA110 -PU161-payload2-sp53; size 8288, 92.86%
  -PE -PS443 -PS80 -PP -PA21 -PU40125-sp53 -PU161-payload2-sp53; size 8288, 92.86%
  -PE -PS443 -PS80 -PP -PU40126-sp53-dl24 -PA21 -PU161-payload2-sp53; size 8285, 92.83%
  -PE -PS443 -PS80 -PP -PU40125-sp53-dl24 -PA40125 -PU161-payload2-sp53; size 8285, 92.83%  
=== 8 probes
When I killed the script, the best was
-PE -PS443 -PS80 -PS3389 -PP -PU40125-sp53-dl24 -PA21 -PU161-payload2-sp53 (8385).

No ACK filtering, no SCTP

Maximum possible using all 89 probes: 6699.
-PE                    4185 62.47%
-PO1                   4145 61.87%
-PS443                 2959 44.17%
-PA80                  2899 43.28%
-PA443                 2881 43.01%
-PS80                  2845 42.47%
-PA110                 2723 40.65%
-PA3389                2708 40.42%
-PS110                 2707 40.41%
-PA40125               2685 40.08%
-PA40126               2675 39.93%
-PA22                  2672 39.89%
-PO6                   2666 39.80%
-PS21                  2654 39.62%
-PA21                  2654 39.62%
-PS22                  2596 38.75%
-PA23                  2581 38.53%
-PS3389                2512 37.50%
-PP                    2456 36.66%
-PS40125               2419 36.11%
-PS40126               2409 35.96%
-PS23                  2344 34.99%
-PU40125-sp53-dl24     2088 31.17%
-PU40126-sp53-dl24     2064 30.81%
-PU31338-sp53-dl24     2007 29.96%
-PU631-sp53-dl24       1946 29.05%
-PU123-payload1-sp53   1943 29.00%
-PU40125-sp53          1936 28.90%
-PU40126-sp53          1932 28.84%
-PU40125-dl24          1919 28.65%
-PU40126-dl24          1912 28.54%
-PU123-payload1        1899 28.35%
-PU53-payload2-sp53    1878 28.03%
-PU53-payload2         1875 27.99%
-PU31338-sp53          1866 27.85%
-PU31338-dl24          1853 27.66%
-PU53-payload1-sp53    1820 27.17%
-PU631-dl24            1819 27.15%
-PU631-sp53            1803 26.91%
-PU53-payload1         1797 26.82%
-PU1434-payload1-sp53  1769 26.41%
-PU40125               1767 26.38%
-PU40126               1764 26.33%
-PU161-payload2-sp53   1753 26.17%
-PS25                  1748 26.09%
-PU500-payload1-sp53   1722 25.71%
-PA25                  1721 25.69%
-PU31338               1698 25.35%
-PO17                  1697 25.33%
-PA445                 1682 25.11%
-PU1434-payload1       1678 25.05%
-PU161-payload2        1667 24.88%
-PU500-payload1        1665 24.85%
-PU631                 1655 24.71%
-PA139                 1619 24.17%
-PU53-sp53-dl24        1618 24.15%
-PU53-sp53             1604 23.94%
-PU53-dl24             1581 23.60%
-PS445                 1542 23.02%
-PU123-sp53-dl24       1539 22.97%
-PU123-dl24            1518 22.66%
-PU53                  1487 22.20%
-PS139                 1473 21.99%
-PU161-payload1-sp53   1454 21.70%
-PU123-sp53            1398 20.87%
-PU161-payload1        1373 20.50%
-PU123                 1326 19.79%
-PU135-payload2-sp53   1252 18.69%
-PU135-payload1-sp53   1252 18.69%
-PU161-sp53            1227 18.32%
-PU161-sp53-dl24       1215 18.14%
-PU137-payload1-sp53   1214 18.12%
-PU135-payload2        1186 17.70%
-PU135-payload1        1183 17.66%
-PU138-sp53-dl24       1163 17.36%
-PU137-sp53-dl24       1148 17.14%
-PU137-payload1        1145 17.09%
-PU161-dl24            1141 17.03%
-PU161                 1138 16.99%
-PU138-dl24            1107 16.52%
-PU137-dl24            1081 16.14%
-PU138-sp53            1037 15.48%
-PU137-sp53            1021 15.24%
-PU138                 975 14.55%
-PU137                 968 14.45%
-PO2                   609 9.09%
-PO150                 605 9.03%
-PO4                   482 7.20%
-PM                    282 4.21%
=== 1 probe; found in 0:00:00.
* -PE; size 4185, 62.47%
  -PO1; size 4145, 61.87%
  -PS443; size 2959, 44.17%
  -PA80; size 2899, 43.28%
  -PA443; size 2881, 43.01%
  -PS80; size 2845, 42.47%
  -PA110; size 2723, 40.65%
  -PA3389; size 2708, 40.42%
  -PS110; size 2707, 40.41%
  -PA40125; size 2685, 40.08%
=== 2 probes; found in 0:00:00.
* -PE -PA80; size 5199, 77.61%
  -PO1 -PA80; size 5163, 77.07%
  -PE -PA443; size 5145, 76.80%
  -PO1 -PA443; size 5110, 76.28%
  -PE -PS443; size 5075, 75.76%
  -PE -PA21; size 5057, 75.49%
  -PE -PA22; size 5049, 75.37%
  -PO1 -PS443; size 5048, 75.35%
  -PE -PA3389; size 5046, 75.32%
  -PE -PA110; size 5046, 75.32%
=== 3 probes; found in 0:00:00.
* -PE -PS443 -PA80; size 5616, 83.83%
  -PO1 -PS443 -PA80; size 5588, 83.42%
  -PE -PA80 -PS21; size 5578, 83.27%
  -PE -PA80 -PS110; size 5555, 82.92%
  -PO1 -PA80 -PS21; size 5542, 82.73%
  -PE -PS443 -PA3389; size 5539, 82.68%
  -PE -PA80 -PS22; size 5534, 82.61%
  -PE -PA80 -PP; size 5527, 82.50%
  -PE -PS443 -PA110; size 5526, 82.49%
  -PO1 -PA80 -PS110; size 5525, 82.47%
=== 4 probes; found in 0:00:10.
* -PE -PS443 -PA80 -PP; size 5938, 88.64%
  -PO1 -PS443 -PA80 -PP; size 5921, 88.39%
  -PE -PA80 -PS21 -PP; size 5899, 88.06%
  -PE -PS443 -PA3389 -PP; size 5895, 88.00%
  -PE -PS443 -PA110 -PP; size 5882, 87.80%
  -PO1 -PS443 -PA3389 -PP; size 5879, 87.76%
  -PO1 -PA80 -PS21 -PP; size 5876, 87.71%
  -PE -PA80 -PS110 -PP; size 5875, 87.70%
  -PE -PS443 -PA21 -PP; size 5874, 87.68%
  -PE -PS443 -PA40125 -PP; size 5873, 87.67%
=== 5 probes; found in 0:02:51.
* -PE -PS443 -PA80 -PP -PU161-payload2-sp53; size 6106, 91.15%
  -PE -PS443 -PA80 -PP -PU40125-sp53-dl24; size 6105, 91.13%
  -PE -PS443 -PA80 -PP -PU40125-sp53; size 6104, 91.12%
  -PE -PS443 -PA80 -PP -PU53-payload2-sp53; size 6103, 91.10%
  -PE -PS443 -PA80 -PP -PU40126-sp53-dl24; size 6103, 91.10%
  -PE -PS443 -PA80 -PP -PU53-payload1-sp53; size 6100, 91.06%
  -PE -PS443 -PA80 -PP -PU40126-sp53; size 6099, 91.04%
  -PO1 -PS443 -PA80 -PP -PU40125-sp53-dl24; size 6089, 90.89%
  -PO1 -PS443 -PA80 -PP -PU40125-sp53; size 6087, 90.86%
  -PO1 -PS443 -PA80 -PP -PU40126-sp53-dl24; size 6085, 90.83%
=== 6 probes; found in 0:43:47.
* -PE -PS443 -PA80 -PP -PU40125-sp53-dl24 -PU161-payload2-sp53; size 6210, 92.70% 
  -PE -PS443 -PA80 -PP -PU40125-sp53 -PU161-payload2-sp53; size 6208, 92.67%
  -PE -PS443 -PA80 -PP -PU53-payload1-sp53 -PU161-payload2-sp53; size 6207, 92.66%
  -PE -PS443 -PA80 -PP -PU40126-sp53-dl24 -PU161-payload2-sp53; size 6206, 92.64% 
  -PE -PS443 -PA80 -PP -PU40126-sp53 -PU161-payload2-sp53; size 6204, 92.61%
  -PE -PS443 -PA80 -PP -PU53-payload2-sp53 -PU161-payload2-sp53; size 6203, 92.60%
  -PE -PS443 -PA80 -PP -PU40125-sp53-dl24 -PU161-payload2; size 6198, 92.52%
  -PE -PS443 -PA80 -PP -PU40125-sp53 -PU161-payload2; size 6196, 92.49%
  -PE -PS443 -PS80 -PA3389 -PP -PU161-payload2-sp53; size 6195, 92.48%
  -PE -PS443 -PA80 -PP -PU53-payload2-sp53 -PU161-payload2; size 6195, 92.48%
=== 7 probes
When I killed the script, the best was
-PE -PS443 -PS80 -PA3389 -PP -PU40125-sp53-dl24 -PU161-payload2-sp53 (6294).

Sanity check scan (May 29, 2009)

This was a check to see if the diminished number of hosts in the May 25 scans were caused by the addition of the SCTP code or just normal network variation. It was done with nmap-payloads r13439.

The number of hosts found is close to that found by the no-SCTP scan done on May 25 (8925 then, 8976 now). So the SCTP code appears not to have had an effect on accuracy. Another possible explanation was that it was caused by the merge from trunk in r13383, but I think it is more likely that it was caused by the two-week interval between the May 10 and May 25 scans.

Maximum possible using all 89 probes: 8976.
-PE                    5565 62.00%
-PO1                   5487 61.13%
-PS443                 3834 42.71%
-PS80                  3726 41.51%
-PS110                 3509 39.09%
-PS21                  3461 38.56%
-PS22                  3403 37.91%
-PS3389                3304 36.81%
-PP                    3194 35.58%
-PS40125               3137 34.95%
-PS40126               3134 34.92%
-PS23                  3076 34.27%
-PA80                  2879 32.07%
-PA443                 2842 31.66%
-PA110                 2691 29.98%
-PA3389                2677 29.82%
-PU40126-sp53-dl24     2670 29.75%
-PU40125-sp53-dl24     2670 29.75%
-PA21                  2657 29.60%
-PA40126               2651 29.53%
-PO6                   2650 29.52%
-PA40125               2650 29.52%
-PA22                  2646 29.48%
-PU31338-sp53-dl24     2603 29.00%
-PA23                  2581 28.75%
-PU123-payload1-sp53   2529 28.18%
-PU40126-sp53          2522 28.10%
-PU40125-sp53          2518 28.05%
-PS25                  2516 28.03%
-PU53-payload2-sp53    2509 27.95%
-PU631-sp53-dl24       2507 27.93%
-PU53-payload2         2488 27.72%
-PU53-payload1-sp53    2473 27.55%
-PU40126-dl24          2465 27.46%
-PU31338-sp53          2460 27.41%
-PU40125-dl24          2449 27.28%
-PU123-payload1        2426 27.03%
-PU53-payload1         2425 27.02%
-PU31338-dl24          2400 26.74%
-PU631-sp53            2364 26.34%
-PU631-dl24            2329 25.95%
-PU1434-payload1-sp53  2293 25.55%
-PU40126               2279 25.39%
-PU40125               2279 25.39%
-PU500-payload1-sp53   2278 25.38%
-PU161-payload2-sp53   2265 25.23%
-PU53-dl24             2221 24.74%
-PU31338               2211 24.63%
-PU53-sp53-dl24        2207 24.59%
-PO17                  2206 24.58%
-PU500-payload1        2198 24.49%
-PU1434-payload1       2160 24.06%
-PU53-sp53             2146 23.91%
-PU161-payload2        2138 23.82%
-PU631                 2136 23.80%
-PS445                 2011 22.40%
-PU53                  1979 22.05%
-PS139                 1969 21.94%
-PU123-sp53-dl24       1959 21.82%
-PU123-dl24            1893 21.09%
-PU161-payload1-sp53   1853 20.64%
-PU123-sp53            1816 20.23%
-PU135-payload1-sp53   1722 19.18%
-PU135-payload2-sp53   1713 19.08%
-PU161-payload1        1712 19.07%
-PU123                 1708 19.03%
-PA445                 1691 18.84%
-PA25                  1690 18.83%
-PA139                 1651 18.39%
-PU137-payload1-sp53   1627 18.13%
-PU135-payload2        1623 18.08%
-PU135-payload1        1618 18.03%
-PU138-sp53-dl24       1552 17.29%
-PU161-sp53            1550 17.27%
-PU161-sp53-dl24       1547 17.23%
-PU137-payload1        1541 17.17%
-PU137-sp53-dl24       1515 16.88%
-PU137-dl24            1449 16.14%
-PU138-dl24            1437 16.01%
-PU161                 1426 15.89%
-PU161-dl24            1423 15.85%
-PU138-sp53            1423 15.85%
-PU137-sp53            1412 15.73%
-PU138                 1330 14.82%
-PU137                 1320 14.71%
-PO2                   823 9.17%
-PO150                 642 7.15%
-PO4                   536 5.97%
-PM                    338 3.77%
Page last modified on November 15, 2009, at 08:49 PM