FAQ long running

From SecWiki
Jump to: navigation, search
  • Why is my scan taking forever?
  • My scan has been stuck at 99.95% for hours. When will it finish?

Diagnosis

Press any key to see a status output. This will show what scan phase is running. Most of the time, a scan hung on 99% is waiting for some NSE script to finish. Press d to increase debug level to 1. Now press any key and the NSE status report will list the specific scripts that are running, if there are 5 or fewer.[1]

If the scan is not in a NSE phase but still going interminably slowly, it's possible that Nmap has been forced to slow down due to dropped packets or rate-limited responses. Look for messages in debug output like "Increasing send delay for __ from _ to _ due to _ out of _ dropped probes since last increase.".

Other times, a scan may continue to make progress through scan phases, but due to the large number of scan targets it just keeps running. Be aware of how many scan targets are implied by

Solutions

Unfortunately, there's not much that can be done with a running scan, beyond letting it run to completion. But there are steps you can take to avoid this issue in the future:

  • Let the Nmap dev team know about misbehaving scripts. Scripts in the "default" or "version" categories must finish fairly quickly or be recategorized. Report specific problems via a bug report.
  • Limit the run time of individual NSE scripts using the --script-timeout option. This is the best way to limit NSE run time, since it preserves port scan info.
  • Avoid some specific rate-limiting situations with an accuracy tradeoff. For rate-limited RST replies from closed ports, use --defeat-rst-ratelimit (some closed ports will be reported as filtered). For speeding up UDP scans, try --defeat-icmp-ratelimit (many open ports may be marked closed|filtered)<ref>Requires .
  • Follow general timing and performance guidance from the man page. The most useful options are usually --min-rate and --max-retries.
  • Set host timeouts to avoid being slowed down by really slow targets with --host-timeout. Caution: hosts that time out will not show even partial results in output.
  • Use the --stats-every option to print periodic status reports. This can help diagnose even if Nmap doesn't recognize your terminal (preventing the "press d" trick above).

Known problems

If you're curious why NSE is so bad at reporting how much time is left, check out Issue #701 in our bug tracker.

  1. List of running scripts in debug level 1 status report requires Nmap version 7.50 or newer. For all versions, pressing d twice to get to debug level 2 will show a full traceback of each running script thread with each status report.
Retrieved from "https://secwiki.org/mediawiki/index.php?title=FAQ_long_running&oldid=1895"