I've read, that the ZMap creators recommend to send three probes for each (ip,port) tuple when scanning. Let's say, we scan port 443 port with a TCP SYN scan. One reason, I can imagine is packet loss. Do you know any other reasons for sending multiple probes instead of sending only one?
Asked
Active
Viewed 71 times
1 Answers
2
The main reason is the one you've stated, which is that there's a risk of packet loss on any connection and as a result it's prudent to send more probes to reduce the risk of missing an open service.
With scanners like nmap it's possible to over-ride the default configuration and reduce or increase the number of retries it will make. This can be handy to either reduce the time the scan will take (with a larger risk of missed services) or increase the service detection likelihood when scanning over flaky networks.
Rory McCune
- 60,923
- 14
- 136
- 217
-
You said "main reason". Are there other imagnable reasons like NAT-Hole-punching (although this works different) or any packet filters that would drop the first packet. (Those are just arbitrary guesses) – Hansi Dec 26 '16 at 09:48