# why nmap localhost is very very very slow?



## antolap (Oct 31, 2017)

Isn't it possible to speed up nmap as in Linux?


----------



## ShelLuser (Nov 1, 2017)

You're on a FreeBSD forum, please don't assume that we have (recent) Linux experiences. It's been 8 or so years ago since I last seriously worked with Linux for example...

So: what delays? My suggestion would be to check nmap(1) to see what command line options you can use for less intrusive testing. Also ensure that it's not a DNS related delay (bad lookup).


----------



## antolap (Nov 1, 2017)

for example If I do nmap localhost (without any firewall), in FreeBSD it takes for example 20 minutes, in Linux it takes few seconds


----------



## ShelLuser (Nov 1, 2017)

Most likely because of certain default settings. The manualpage should be able to clear that up. From the top of my head the default is to do a so called 'deep scan' which means checking every available port. If your firewall simply blocks (as it should) then it'll rely on a timeout to determine if a port is really closed.

So my suggestion would be to reduce the timeout or use another means of scanning.


----------



## antolap (Nov 1, 2017)

boh
I have NO firewall on FreeBSD
and Linux is very very fast also if I run nmap -p- localhost (to check all tcp ports)


----------



## Datapanic (Nov 1, 2017)

use the *-v *option to answer your question: `nmap -v localhost`


----------



## tobik@ (Nov 1, 2017)

Out of curiosity: Why would you nmap localhost? Is there any benefit over using sockstat(1) to list open ports?


----------



## antolap (Nov 1, 2017)

with -v it's still slow
nmap localhost is for testing  but it's slow every time I have to use it to nmap lan hosts.
Every time I have to ssh into a linux pc which is faster


----------



## SirDice (Nov 1, 2017)

antolap said:


> with -v it's still slow


The -v doesn't change how it works, it just provides you with more information as to what it's doing. You may get to see messages that indicate some sort of throttling for example.


----------



## tobik@ (Nov 1, 2017)

Please check `dmesg`. You'll probably have messages like

```
Limiting closed port RST response from 220 to 200 packets/sec
```
This is because the FreeBSD kernel has rate limits for ICMP replies, TCP RSTs, etc. by default. The default is 200 packets/sec, but you can disable the limit completely by setting e.g. `sysctl net.inet.icmp.icmplim=0` (or maybe increase it instead).  It then becomes as fast as Linux.  Probably a good idea to set it back to 200 when you're done.

This all assumes that nmap is doing a TCP connect scan though.  If you run nmap as root it'll do a TCP SYN scan by default which is very slow even on Linux.


----------



## antolap (Nov 1, 2017)

no RST messages using `dmesg`

setting to 0 the value, doesn't change nmap speed


`root@freebsd2g-11:/home # sysctl net.inet.icmp.icmplim=0
net.inet.icmp.icmplim: 200 -> 0


root@freebsd2g-11:/home # nmap localhost

Starting Nmap 7.40 ( https://nmap.org ) at 2017-11-01 20:32 CET
Stats: 0:00:01 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.50% done
Stats: 0:00:02 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.50% done
Stats: 0:00:03 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 5.20% done; ETC: 20:33 (0:00:55 remaining)
Stats: 0:00:04 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 5.55% done; ETC: 20:33 (0:01:25 remaining)
Stats: 0:00:06 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan`


----------



## tobik@ (Nov 1, 2017)

As I said it doesn't make a difference when using a TCP SYN scan. nmap will default to using a TCP SYN scan if run as root. Are you running nmap on Linux as root as well? Does it use a TCP SYN scan (if you don't know Datapanic's `nmap -v localhost` will reveal if it is)? Anyway try using a connect scan: `nmap -sT localhost`

Also please post the output of `nmap -v localhost` or even `nmap -d localhost` from both Linux and FreeBSD so that we can compare them in case this doesn't solve your problem.


----------



## antolap (Nov 1, 2017)

Yes I always run nmap as root so it's a SYN scan

on FreeBSD 11

```
root@freebsd2g-11:/home # nmap -sS -v -p- localhost                                                                                                                    

Starting Nmap 7.40 ( https://nmap.org ) at 2017-11-01 21:50 CET
Initiating SYN Stealth Scan at 21:50
Scanning localhost (127.0.0.1) [65535 ports]
Discovered open port 25/tcp on 127.0.0.1
Stats: 0:00:02 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.05% done
Increasing send delay for 127.0.0.1 from 0 to 5 due to 11 out of 21 dropped probes since last increase.
Discovered open port 111/tcp on 127.0.0.1
Stats: 0:00:03 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.08% done
Stats: 0:00:05 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.09% done
Increasing send delay for 127.0.0.1 from 5 to 10 due to 25 out of 83 dropped probes since last increase.
Increasing send delay for 127.0.0.1 from 10 to 20 due to max_successful_tryno increase to 4
Increasing send delay for 127.0.0.1 from 20 to 40 due to max_successful_tryno increase to 5
Increasing send delay for 127.0.0.1 from 40 to 80 due to max_successful_tryno increase to 6
Increasing send delay for 127.0.0.1 from 80 to 160 due to max_successful_tryno increase to 7
Increasing send delay for 127.0.0.1 from 160 to 320 due to max_successful_tryno increase to 8
Stats: 0:00:19 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.14% done
Increasing send delay for 127.0.0.1 from 320 to 640 due to max_successful_tryno increase to 9
Stats: 0:00:20 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.14% done
Stats: 0:00:24 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.14% done
Stats: 0:00:26 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.15% done
Increasing send delay for 127.0.0.1 from 640 to 1000 due to 11 out of 15 dropped probes since last increase.
```


this is on Linux (centos 7)


```
uname -a
Linux localhost.localdomain 3.10.0-693.5.2.el7.x86_64 #1 SMP Fri Oct 20 20:32:50 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux


time nmap -sS -v -p- 192.168.2.8

Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-01 21:53 CET
Initiating Parallel DNS resolution of 1 host. at 21:53
Completed Parallel DNS resolution of 1 host. at 21:53, 0.03s elapsed
Initiating SYN Stealth Scan at 21:53
Scanning 192.168.2.8 [65535 ports]
Discovered open port 111/tcp on 192.168.2.8
adjust_timeouts2: packet supposedly had rtt of 1829679219664545 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of 1829679219664545 microseconds.  Ignoring time.
Discovered open port 22/tcp on 192.168.2.8
adjust_timeouts2: packet supposedly had rtt of 1829679219664328 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of 1829679219664328 microseconds.  Ignoring time.
Discovered open port 21/tcp on 192.168.2.8
adjust_timeouts2: packet supposedly had rtt of 1829679223959190 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of 1829679223959190 microseconds.  Ignoring time.
Discovered open port 5900/tcp on 192.168.2.8
adjust_timeouts2: packet supposedly had rtt of 1829679223959167 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of 1829679223959167 microseconds.  Ignoring time.
Discovered open port 34581/tcp on 192.168.2.8
adjust_timeouts2: packet supposedly had rtt of 1829680722553218 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of 1829680722553218 microseconds.  Ignoring time.
Discovered open port 20048/tcp on 192.168.2.8
adjust_timeouts2: packet supposedly had rtt of 1829681448234659 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of 1829681448234659 microseconds.  Ignoring time.
Discovered open port 2049/tcp on 192.168.2.8
adjust_timeouts2: packet supposedly had rtt of 1829681456822274 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of 1829681456822274 microseconds.  Ignoring time.
Discovered open port 514/tcp on 192.168.2.8
adjust_timeouts2: packet supposedly had rtt of 1829681942040666 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of 1829681942040666 microseconds.  Ignoring time.
Discovered open port 5201/tcp on 192.168.2.8
adjust_timeouts2: packet supposedly had rtt of 1829682066565917 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of 1829682066565917 microseconds.  Ignoring time.
Discovered open port 39111/tcp on 192.168.2.8
adjust_timeouts2: packet supposedly had rtt of 1829682680603172 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of 1829682680603172 microseconds.  Ignoring time.
Completed SYN Stealth Scan at 21:53, 0.88s elapsed (65535 total ports)
Nmap scan report for 192.168.2.8
Host is up (0.0000040s latency).
Not shown: 65525 closed ports
PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
111/tcp   open  rpcbind
514/tcp   open  shell
2049/tcp  open  nfs
5201/tcp  open  targus-getdata1
5900/tcp  open  vnc
20048/tcp open  mountd
34581/tcp open  unknown
39111/tcp open  unknown

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.00 seconds
           Raw packets sent: 65535 (2.884MB) | Rcvd: 131080 (5.505MB)

real   0m1.018s
user   0m0.400s
sys   0m0.477s
```


----------

