PerformanceNotesArchive2

• Performance notes: archive 1 from ca. r11204 to r11670. Scan delay (rate limiting) tests. Timing ping selection improvements.
• Performance notes: archive 2 from ca. r11670 to r15840. nmap-perf performance improvements. _FORTIFY_SOURCE. tryno equal. Timing ping frequency experiments.

Benchmark results of nmap r11670 vs. nmap-perf r11670 vs. nmap r11204

nmap -n -d2 -r --log-errors --max-retries 1 \
     -p 1-65535 scanme.nmap.org -oA perf-scanme
nmap -n -d2 -r --log-errors --max-retries 1 \
     -sP -PS21,23,80,3389 -PE -iL perf-down-hosts-2 -oA perf-down-ping
nmap -n -d2 -r --log-errors --max-retries 1 \
     -sP -PS21,23,80,3389 -PE -iL perf-up-hosts-2 -oA perf-up-ping
nmap -n -d2 -r --log-errors --max-retries 1 \
     -F -iL perf-random-hosts-2 -oA perf-random-F
nmap -n -d2 -r --log-errors --max-retries 1 \
     -F -iL perf-up-hosts-2 -oA perf-up-F

perf-random-hosts-2 is 704 random Internet IPs, culled of DHCP blocks. perf-down-hosts-2 is 200 addresses from that list, mostly down. perf-up-hosts-2 is 200 addresses from the random list, mostly up. (Except in the ucsd scans, where the lists have the same characteristics but the numbers are different.)

This table shows the times taken in the five benchmark scans, over three or four trials, on five different machines. Beneath each time is statistics for checking accuracy, in the following form:

I noticed only a few accuracy-related changes in the table. david/nmap-r11204/random-F found ≈25% fewer open ports for reasons I haven't investigated. (Maybe it went too fast? That was the only random-F scan where r11204 won.) david/nmap-perf-70/scanme missed 1 closed port, which is unusual but not unprecedented in nmap or nmap-perf. goomba had more total ports because it used /etc/services instead of nmap-services so -F didn't work.

This chart contains the timing information from the above table. The whiskers in each box show the maximum and minimum time for each machine/benchmark combination; the heavy vertical line is the median time. More to the left is better. The different nmaps appear in the following order and colors:

• Green for nmap-perf r11670
• Blue for nmap r11670
• Orange for nmap r11204 (from before nmap-perf)

Alternate views of the graph: log scale, dots, dots log scale.
The log scale makes it easier to compare the short times. I find the dots chart easier to read but you have to know what the colors mean.

Global congestion control

I found an example where global congestion control is seriously constraining: nmap -d2 scanme.nmap.org -d2 64.13.1-30.0 -PN -F -n --min-hostgroup 64 scanme gets a few responses right away and grows its congestion window to a healthy size. But the sending rate drops to less than 10 packets per second. Why?

**TIMING STATS** (35.0510s): IP, probes active/freshportsleft/
  retry_stack/outstanding/retranwait/onbench,
  cwnd/ssthresh/delay, timeout/srtt/rttvar/
   Groupstats (31/31 incomplete): 60/*/*/*/*/* 60.40/55/* 8880778/2178022/1675689
   64.13.134.52: 0/90/0/0/0/8 24.00/75/0 243796/71276/43130
   64.13.1.0: 1/81/0/2/1/17 10.00/75/0 8880778/-1/-1
   64.13.2.0: 1/82/0/1/0/17 10.00/75/0 8880778/-1/-1
   64.13.3.0: 4/81/0/4/0/15 10.00/75/0 8880778/-1/-1
   64.13.4.0: 2/82/0/3/1/15 10.00/75/0 8880778/-1/-1
   64.13.5.0: 1/85/0/1/0/14 10.00/75/0 8880778/-1/-1
   64.13.6.0: 3/81/0/3/0/16 10.00/75/0 8880778/-1/-1
   64.13.7.0: 2/81/0/3/1/16 10.00/75/0 8880778/-1/-1
   64.13.8.0: 1/84/0/1/0/15 10.00/75/0 8880778/-1/-1
   64.13.9.0: 4/78/0/5/0/18 10.00/75/0 8880778/-1/-1
   64.13.10.0: 0/80/0/2/1/18 2.00/2/0 772849/222769/137520
   64.13.11.0: 0/90/0/0/0/3 27.17/75/0 6865078/3061238/950960
   64.13.12.0: 3/89/0/3/0/8 10.00/75/0 8880778/-1/-1
   64.13.13.0: 2/84/0/3/0/4 34.84/75/0 7610620/2645884/1241184
   64.13.14.0: 4/85/0/4/0/11 10.00/75/0 8880778/-1/-1
   64.13.15.0: 3/86/0/3/0/11 10.00/75/0 8880778/-1/-1
   64.13.16.0: 2/87/0/2/0/11 10.00/75/0 8880778/-1/-1
   64.13.17.0: 3/89/0/3/0/8 10.00/75/0 8880778/-1/-1
   64.13.18.0: 1/89/0/1/0/10 10.00/75/0 8880778/-1/-1
   64.13.19.0: 1/87/0/1/0/12 10.00/75/0 8880778/-1/-1
   64.13.20.0: 4/89/0/4/0/7 10.00/75/0 8880778/-1/-1
   64.13.21.0: 2/87/0/3/1/10 10.00/75/0 8880778/-1/-1
   64.13.22.0: 1/86/0/1/0/13 10.00/75/0 8880778/-1/-1
   64.13.23.0: 2/89/0/2/0/9 10.00/75/0 8880778/-1/-1
   64.13.24.0: 1/89/0/1/0/10 10.00/75/0 8880778/-1/-1
   64.13.25.0: 2/88/0/2/0/10 10.00/75/0 8880778/-1/-1
   64.13.26.0: 3/87/0/4/1/9 10.00/75/0 8880778/-1/-1
   64.13.27.0: 2/88/0/3/0/10 10.00/75/0 8880778/-1/-1
   64.13.28.0: 1/89/0/1/0/10 10.00/75/0 8880778/-1/-1
   64.13.29.0: 3/87/0/4/1/9 10.00/75/0 8880778/-1/-1
   64.13.30.0: 1/90/0/1/0/9 10.00/75/0 8880778/-1/-1

All the other non-responsive hosts use up the global congestion window (60/60.40). Most of them have never gotten a response so their timeouts are the global timeout of almost 9 seconds. The global timeout is so high because of long RTTs on destination unreachable replies. (I repeated the experiment and the timeout settled to about 1.6 s, then once again and it was up near 10 s.) Because the congestion window is perpetually filled, we almost never get to send pings to scanme to expand it.

Timing pings

This is a picture of the effect of nmap-perf r11735, which sends a timing ping every 50 probes or 1.25 seconds, whichever comes first. First, using nmap trunk, here is a graph of the host (not global) congestion window and threshold for the scan

nmap -p 1-5000 -r -n -PN -d4 scanme.nmap.org

open 3 closed 3 filtered 4994
Overall sending rates: 112.77 packets / s, 4961.84 bytes / s.
Raw packets sent: 15084 (663.696KB) | Rcvd: 83 (3332B)

Here is the same scan with nmap-perf r11735, on the same x axis:

open 3 closed 3 filtered 4994
Overall sending rates: 117.93 packets / s, 5188.87 bytes / s.
Raw packets sent: 10155 (446.820KB) | Rcvd: 138 (5532B)

Notice that nmap-perf sent 1/3 fewer packets even though it sent 70% more pings (161 vs. 95). This is probably because the nmap scan had max_successful_tryno = 1 while the nmap-perf scan had it at 0.

The shapes of the two curves are quite different. Most significant is that in congestion avoidance mode, the nmap graph is curved while the nmap-perf graph is straight. Growth above the slow start threshold is supposed to be linear, so nmap-perf has it right. The curved shape is in fact a square root shape, and it is a sign that ping probes are hitting their maximum worth, which is not proportional to the sending rate. To see that one can look at the differential equations governing congestion avoidance:

So the curved shape is a result of the response rate scaled congestion control hitting its cap and becoming constant, no longer proportional to cwnd. Sending probes more often allows staying below this cap and staying proportional, without increasing the cap (which would only become a problem again at even higher scan rates). You can see some more square root graphs from long ago at the performance graphs page.

A repeat of the experiment:

open 3 closed 3 filtered 4994
Overall sending rates: 202.40 packets / s, 8905.50 bytes / s.
Raw packets sent: 10026 (441.144KB) | Rcvd: 30 (1212B)

Here is the same scan with nmap-perf r11735, on the same x axis:

open 3 closed 3 filtered 4994
Overall sending rates: 139.78 packets / s, 6150.36 bytes / s.
Raw packets sent: 10142 (446.248KB) | Rcvd: 135 (5412B)

The same shapes are visible, but this time nmap was faster. More tests are called for.

Benchmark of nmap r11737 vs. nmap-perf r11737

dots log scale.

These results are disappointing. Rate-related pings make the scan take longer in almost every case. My hypothesis for this is that nmap-perf is detecting when it's running too fast sooner than it used to. It doesn't get to coast for a little while at a rate higher than it should. nmap is just being a little more dangerous with its rate. I'll give up on this change.

Here's a graph of the time taken for nmap --pingtime X --max-retries 1 -p 1-5000 -r -n -PN -d2 scanme.nmap.org, for values of X between 100000 and 60000000 (0.1–60 s).

for n in 1 2 3 4 5 6 7 8 9 10 11 12; do
  echo >> pingtime.txt
  for a in 100000 250000 500000 1000000 1250000 1500000 2000000 \
           3000000 4000000 5000000 6000000 7000000 8000000 9000000 \
           10000000 20000000 30000000 40000000 50000000 60000000; do
    echo $n $a
    ./nmap --pingtime $a --max-retries 1 -p 1-5000 -r -n -PN -d2 scanme.nmap.org \
      > scanme-pingtime-$a-$n.nmap
    grep ^Nmap\  scanme-pingtime-$a-$n.nmap \
      | gawk "{print $a / 1000000. \" \" \$11}" >> pingtime.txt
  done
done

The above graph is a little misleading, because it shows the requested ping interval on the x axis, not the actual interval. Here is an graph adjusted for actual ping intervals, computed by dividing the scan duration by the number of "PING SENT" in the log. Note, for example, that the pings that were supposed to be sent every 0.1 s were sent about every 0.2 s.

Here are samples of the difference in time taken with various ping timing tweaks. The x axis is changed to go from 0.1 to 1.0; with probe-based pings all actual ping intervals were in that range (the --pingtime option has some effect but not much). The small black dots are from the adjusted graph above.

That last one (pings every 50 probes, loss recovery, magnifier = 3) looks pretty good. Most of the points are in the 40–50 second range, the same as nmap trunk with a 0.1 or 0.25 s requested pingtime. The outliers up higher are from high requested pingtimes (3–60 seconds). I don't know why the magnifier should have such a big effect. Two questions: Will that last combination outperform nmap trunk, and If so, what's the optimum ping magnifier?

Benchmark of nmap r11744 vs. nmap-perf r11744.

These results are hard to analyze. In most scans they seems to have had no effect, or a very small improvement. In a few cases nmap-perf looks to be slower: uscd/nmap-F, syn/down-ping. The scanme scans overall showed improvement; in ucsd/scanme, the time taken was roughly halved (104→51 seconds). The consistency of timing in this case is strong evidence that the improvement was not due to just chance.

As usual, green is nmap-perf and blue is nmap.

log scale

tryno equal tests

A test of Daniel Roethlisberger's patch from http://seclists.org/nmap-dev/2009/q1/0387.html that checks for exact tryno equality in responses. This is a repeat of the standard nmap-perf benchmark I've been doing; see above for the exact scans these represent.

With the patch Nmap misses a lot of open and closed ports. In the random-F tests the patch found 28% fewer open ports and 6% fewer closed. In the up-F tests the patch found 19% fewer open and 12% fewer closed.

Benchmark of _FORTIFY_SOURCE=2

An overdue benchmark of _FORTIFY_SOURCE=2. The nmap scans are with r11810 and the nmap-fortify are with r11811. Defining _FORTIFY_SOURCE doesn't look to have an effect on performance.