Before we talk about interpacket delay lets break down the scan into two different types so we are on the same page.
Discovery scan: A discovery scan is used to determine live targets on your network and which ports and services they are running. No vulnerability scripts are run during a discovery scan. There are two main portions of the discovery scan.
- Host Discovery: During this portion of the scan ICMP, UDP and TCP probes are used to determine if an IP is live on the network. Once a single response is received back indicating that an IP is live no more packets are sent to that IP and theDiscovery scan moves to the Service Discovery portion.
- Service Discovery: Now that the IP has been found on the network a more comprehensive TCP and UDP port list is used and service fingerprinting takes place to determine which ports are open and what services are running on those ports.
Assessment scan: Assessment scans are used to determine if an IP is vulnerable or to check policies. Part of every assessment scan is a discovery scan.
When discussing interpacket delay its important to separate out the two different parts of the scan as interpacket delay only affects the discovery portion.
Interpacket delay is applied and tracked on a per IP basis.So what does that mean? Let me give you some examples.
To make this easier to explain and hopefully understand let’s say I changed the interpacket delay in all of the below examples to 10 seconds, host discovery is using 5 UDP and 5 TCP ports and service discovery is using 20 UDP and 20 TCP ports.
Example 1: If a single IP was being scanned, a packet would be sent to the first port from the host discovery configuration. If that IP responded the scan would move to the service discovery portion of the scan. If the IP didn’t respond the scan engine would wait 10 seconds before sending a packet to the next port in the host discovery configuration.
Example 2: If 10 IPs are being scanned, 10 packets would be sent, one to each IP, to the first port in the host discovery configuration. If 1 of those IPs responded, that IP would move to the service discovery portion the scan and the scan engine would wait 10 seconds before sending a new packet to the remaining IPs. That would continue until either all IPs were discovered live and moved to service discovery or the IPs were eliminated from the scan.
Example 3: The scan has moved past the host discovery portion of the scan and 2 live IPs have moved into service discovery. Each IP would have packets sent to it independent of each other as the interpacketdelay is done on a per IP basis. If 1 of the IPs was responding in 1 second and the other IP was responding in 4 seconds the first IP would be done with the discovery portion of the scan much quicker.
Large discovery scan can have many sub-scan and batches. Interpacket delay doesn’t care about sub-scans and batches and is tracked on a per IP basis.
I’m hopeful this answers your questions and that I’ve been able to articulate this in a way that doesn’t give you a headache.
MVM Tier 3 Manager WW Support