9

Today the IT manager got angry because I used nmap on the 3 servers I manage to see what ports they had open. I know I could have used netstat inside the host' shell.

He told me that "If the network goes down because of nmap I would be punished". I would like to know technically how many network bandwith / bytes would take a nmap 192.168.1.x which outputs:

Starting Nmap 6.40 ( http://nmap.org ) at 2015-05-11 13:33 ART
Nmap scan report for 192.168.x.53
Host is up (0.0043s latency).
Not shown: 983 closed ports
PORT      STATE SERVICE
1/tcp     open  tcpmux
22/tcp    open  ssh
79/tcp    open  finger
80/tcp    open  http
111/tcp   open  rpcbind
119/tcp   open  nntp
143/tcp   open  imap
1080/tcp  open  socks
1524/tcp  open  ingreslock
2000/tcp  open  cisco-sccp
6667/tcp  open  irc
12345/tcp open  netbus
31337/tcp open  Elite
32771/tcp open  sometimes-rpc5
32772/tcp open  sometimes-rpc7
32773/tcp open  sometimes-rpc9
32774/tcp open  sometimes-rpc11

Nmap done: 1 IP address (1 host up) scanned in 3.28 seconds
JorgeeFG
  • 725
  • 2
  • 9
  • 17

3 Answers3

12

This is easy enough to measure, at least if you nmap a host your machine is not otherwise communicating with. Just use tcpdump or wireshark to capture the traffic, limited to that IP address. You could also use iptables counters, etc.

I did so (using wireshark), the machine I tested on has fewer open TCP ports (5), but the totals were 2009 packets, 118,474 bytes. That took 1.4 seconds, so 1435 pps or 677 kbps. Neither should take down a reasonably-configured network.

Doing additional targets could potentially overwhelm a stateful firewall's connection tracking, if the scan went through a firewall. And of course running nmap is likely to cause any intrusion detection system to alarm—potentially wasting someone's time investigating.

Finally, nmap (by default) doesn't check all ports and host-based IDSs may detect and respond to the scan—both mean you don't necessarily get accurate answers.

dhag
  • 15,440
  • 4
  • 54
  • 65
derobert
  • 107,579
  • 20
  • 231
  • 279
  • 1
    So it takes less network bandwith than attaching a photo in a mail. Thanks – JorgeeFG May 11 '15 at 20:47
  • 4
    @Jorge, it's not _high bandwidth usage_ that cause networks to go down. Transferring one peta-byte over one TCP connection for instance is not going to bring a network down. Some specific types of traffic can have some bad consequences. – Stéphane Chazelas May 11 '15 at 20:51
  • @StéphaneChazelas Ive read your answer and its a very good point and I will take it in account. Thanks! +1 – JorgeeFG May 11 '15 at 20:54
  • Isn't it 57.84 kilo bytes per second? – JorgeeFG May 11 '15 at 21:06
  • 1
    @Jorge No. It'd be 118474÷1.4÷1024≈83 KiB/s or 118474÷1.4÷1000≈85 kB/s (1024- vs. 1000- definition of kilobyte). But bandwidth is traditionally measured in *bits* per second, and with 1000-bits-per-kilobit, so ≈677 kbps. (All of those numbers has been rounded, which is why 677÷8 ≠ 85.) – derobert May 11 '15 at 21:10
  • 1
    Nmap itself can tell you how many bytes it sends for some scan types, when you use the `-v` flag: `Raw packets sent: 1175 (51.676KB) | Rcvd: 1169 (46.776KB)` – bonsaiviking May 12 '15 at 11:53
8

I've seen (broken) smart switches going down due to nmap activity, but that was when nmapping a subnet (so ARP traffic for a lot of different endpoints). That may be the kind of problem he's thinking of.

Now Intrusion Detection Systems do try and detect port scanning activity and may be configured to block the IP address of the host doing the scanning.

If there's a SNATing router in between you and the target host, and an IDS between that router and the target host, then the masquerading IP address of that router may end up being blocked as it would be the one appearing as the source of those scans. That could affect connectivity to all the networks beyond that IDS.

Other than that, nmapping a single host on the same subnet is not going to generate a lot of traffic or cause any disruption (other than on the sending and receiving host).

Stéphane Chazelas
  • 522,931
  • 91
  • 1,010
  • 1,501
1

Are you a network administrator? If you aren't, I think that your IT manager was not concerned by the overuse of bandwidth but rather with the fact that 1) you were tinkering with the network and 2) nmap scanning could crash applications:

It should also be noted that Nmap has been known to crash certain poorly written applications, TCP/IP stacks, and even operating systems. Nmap should never be run against mission critical systems unless you are prepared to suffer downtime. We acknowledge here that Nmap may crash your systems or networks and we disclaim all liability for any damage or problems Nmap could cause. Because of the slight risk of crashes and because a few black hats like to use Nmap for reconnaissance prior to attacking systems, there are administrators who become upset and may complain when their system is scanned. Thus, it is often advisable to request permission before doing even a light scan of a network.

Note that should nmap crash an application, it's because the application is poorly written, not nmap's fault. Nmap is a well-recognized and useful tool that should be widely used by network admins when managing their own network.

dr_
  • 28,763
  • 21
  • 89
  • 133
  • The question clearly states that he is managing the target servers. Assuming that is true, then I would consider that sufficient justification to run nmap on the servers. You don't need to manage the entire network path between the nmap command and the server, you just need to be a legitimate user of that network. The purpose of the network is to transfer packets between the endpoints without interpreting the content of those packets. Should a network administrator chose to deviate from this and in the process render their network less stable, I say blame the administrator, not the users. – kasperd May 12 '15 at 10:43
  • I agree with you, but I also understand how an IT manager that's a "special person" and probably not very competent at his job would react. – dr_ May 12 '15 at 11:39
  • How to deal with a manager who have opinions about areas which he has no knowledge about is not a unix question though. But it may be suitable for http://workplace.stackexchange.com/ – kasperd May 12 '15 at 11:50