My favourite of his (Fyodor's, guy behind nmap) conference appearances https://www.youtube.com/watch?v=ZMG0e7byPvo
Scanning the Internet apparently can raise some eyebrows ;)
It's good to see how a project as mature as Nmap keeps development on. Someone must be doing a really good job leading the project. I wish it was like that for so many other classical CLI tools.
Still doesn't compile with default LUA due to broken Headers within the include path. They probably just forgot it again, but it's still bad practice and low standard for a very common tool like nmap.
I'd like some day to get into nmap's source code so as to learn more about networking and programming, but I haven't started since it is quite extensive. Any ideas to begin?
You'll learn more about networking from using Nmap than from looking at the source. Always use -v and maybe even -d, then investigate what the output is telling you. And read the book: https://nmap.org/book/
You don't have to wait for requests to complete, so slow or broken connections don't cause hangs. IIRC, zmap[1] takes this approach. This allows the "probe" stage to be executed essentially as quickly as you can send packets, while you lazy load the results
Nmap is already asynchronous, as you described multiple requests are multiplexed (cf select(2), epoll(7), kqueue/kevent depending on your platform...)
The core difference between nmap and zmap is that the latter is stateless. Which allows a much higher throughput, but also prevents from applying some smart detection mechanisms. Thus, both tools are complementary, and no, there is no work being done to make nmap stateless.
Interestingly I find nmap 7 almost twice as slow 6 when performing the example scan from the documentation.
# time nmap -v scanme.nmap.org # 6.40
Starting Nmap 6.40 ( http://nmap.org ) at 2015-11-21 00:01 AEDT
Initiating Ping Scan at 00:01
Scanning scanme.nmap.org (45.33.32.156) [4 ports]
Completed Ping Scan at 00:01, 0.23s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 00:01
Completed Parallel DNS resolution of 1 host. at 00:01, 0.00s elapsed
Initiating SYN Stealth Scan at 00:01
Scanning scanme.nmap.org (45.33.32.156) [1000 ports]
Discovered open port 80/tcp on 45.33.32.156
Discovered open port 22/tcp on 45.33.32.156
Discovered open port 31337/tcp on 45.33.32.156
Discovered open port 9929/tcp on 45.33.32.156
Completed SYN Stealth Scan at 00:01, 26.27s elapsed (1000 total ports)
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.20s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
9929/tcp open nping-echo
31337/tcp open Elite
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 26.54 seconds
Raw packets sent: 1067 (46.924KB) | Rcvd: 1054 (42.164KB)
real 0m26.546s
user 0m0.061s
sys 0m0.046s
# time nmap -v scanme.nmap.org # 7.00
Starting Nmap 7.00 ( https://nmap.org ) at 2015-11-21 00:02 AEDT
Initiating Ping Scan at 00:02
Scanning scanme.nmap.org (45.33.32.156) [2 ports]
Completed Ping Scan at 00:02, 0.19s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 00:02
Completed Parallel DNS resolution of 1 host. at 00:02, 0.00s elapsed
Initiating Connect Scan at 00:02
Scanning scanme.nmap.org (45.33.32.156) [1000 ports]
Discovered open port 22/tcp on 45.33.32.156
Discovered open port 80/tcp on 45.33.32.156
Discovered open port 9929/tcp on 45.33.32.156
Discovered open port 31337/tcp on 45.33.32.156
Completed Connect Scan at 00:03, 46.61s elapsed (1000 total ports)
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.19s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 992 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
5815/tcp filtered unknown
9929/tcp open nping-echo
31337/tcp open Elite
Read data files from: /usr/local/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 46.85 seconds
real 0m46.858s
user 0m0.801s
sys 0m0.233s
Your second command is using TCP Connect scan (-sT) instead of SYN scan (-sS). Not sure why it would be doing this, but add -sS and see if speed difference is better.
Should be general knowledge, but for all who don't know: http://www.sectools.org and http://seclists.org/ are valuable resources!
Funny Side Note: nmap is one of the most widely used "real hacker tools" in movies https://nmap.org/movies/