Is the threshold that this setting controls specific to each scan object (sub-scan)? Or does it apply to the scan as a whole?
Also, I am assuming that concurrent scans on the same engine would be throttled independently.
As an example...
A scan runs with 10 scan objects, and the delay set to 20 ms (500 packets/sec). Would the scanner pump out a maximum of 5,000 packets per second?
Before we talk about interpacket delay lets break down the scan into two different types so we are on the same page.
Discovery scan: A discovery scan is used to determine live targets on your network and which ports and services they are running. No vulnerability scripts are run during a discovery scan. There are two main portions of the discovery scan.
Assessment scan: Assessment scans are used to determine if an IP is vulnerable or to check policies. Part of every assessment scan is a discovery scan.
When discussing interpacket delay its important to separate out the two different parts of the scan as interpacket delay only affects the discovery portion.
Interpacket delay is applied and tracked on a per IP basis.So what does that mean? Let me give you some examples.
To make this easier to explain and hopefully understand let’s say I changed the interpacket delay in all of the below examples to 10 seconds, host discovery is using 5 UDP and 5 TCP ports and service discovery is using 20 UDP and 20 TCP ports.
Example 1: If a single IP was being scanned, a packet would be sent to the first port from the host discovery configuration. If that IP responded the scan would move to the service discovery portion of the scan. If the IP didn’t respond the scan engine would wait 10 seconds before sending a packet to the next port in the host discovery configuration.
Example 2: If 10 IPs are being scanned, 10 packets would be sent, one to each IP, to the first port in the host discovery configuration. If 1 of those IPs responded, that IP would move to the service discovery portion the scan and the scan engine would wait 10 seconds before sending a new packet to the remaining IPs. That would continue until either all IPs were discovered live and moved to service discovery or the IPs were eliminated from the scan.
Example 3: The scan has moved past the host discovery portion of the scan and 2 live IPs have moved into service discovery. Each IP would have packets sent to it independent of each other as the interpacketdelay is done on a per IP basis. If 1 of the IPs was responding in 1 second and the other IP was responding in 4 seconds the first IP would be done with the discovery portion of the scan much quicker.
Large discovery scan can have many sub-scan and batches. Interpacket delay doesn’t care about sub-scans and batches and is tracked on a per IP basis.
I’m hopeful this answers your questions and that I’ve been able to articulate this in a way that doesn’t give you a headache.
MVM Tier 3 Manager WW Support
Sorry one more question...
The Best Practices Guide specifically states examples of 10, 15, 20 and 25 MILLISECONDS. Your response states full SECONDS.
Could you confirm which measurement is accurate?