Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 7 years ago.
I need to retrieve both TCP and UDP ports in the same scan with Nmap in the fastest way possible. I'll try to explain it better. If I use the most common command:
nmap 192.168.1.1
It retrieves ONLY TCP ports and it is really fast.
If I use the following command:
nmap -sU 192.168.1.1
It retrieves ONLY UDP ports and it is quite fast (well not so fast but still).
My question: is there a combination of the two commands? I tryed:
nmap -sU -sS 192.168.1.1
nmap -sU -sT 192.168.1.1
But they are TERRIBLY slow.
I am using Nmap 5.51, any suggestion?
As you've seen, UDP scanning is slow as open/filtered ports typically don't respond so nmap has to time out and then retransmit whilst closed ports will send a ICMP port unreachable error, which systems typically rate limit.
You can add the -T switch to increase the speed of the scan, though this may reduce accuracy and make it easier to detect.
-T<0-5>: Set timing template (higher is faster)
-PN will turn off the ping scan element
You could also scan more hosts in parallel,
or reduce the number of ports you're scanning with the -p switch or --top-ports , which will scan the highest-ratio ports found in the nmap-services file.
If you were scanning multiple hosts, you could use --host-timeout to skip slow hosts.
Regarding TCP, -sS should be quicker than -sT.
HTH!
You didn't say how slow your scans get, but I think you would benefit from playing with the --min-parallelism option, which adjusts the minimum number of outstanding probes.
I'm seeing 70% reductions in scan time (compared with bare -sT -sU scans) like this. Note that it is possible to set --min-parallelism too high, such that the host (or network) cannot buffer this many queries simultaneously.
[mpenning@Hotcoffee]$ sudo nmap --min-parallelism 100 -sT -sU localhost
Starting Nmap 5.00 ( http://nmap.org ) at 2012-05-10 01:07 CDT
Interesting ports on localhost (127.0.0.1):
Not shown: 1978 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
49/tcp open tacacs
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
631/tcp open ipp
2003/tcp open finger
2004/tcp open mailbox
3389/tcp open ms-term-serv
5901/tcp open vnc-1
5910/tcp open unknown
6001/tcp open X11:1
7002/tcp open afs3-prserver
53/udp open|filtered domain
69/udp open|filtered tftp
111/udp open|filtered rpcbind
123/udp open|filtered ntp
161/udp open|filtered snmp
631/udp open|filtered ipp
1812/udp open|filtered radius
1813/udp open|filtered radacct
Nmap done: 1 IP address (1 host up) scanned in 1.54 seconds
[mpenning@Hotcoffee]$
