Performance Characteristics

ProRT-IP's performance characteristics across all scan types, features, and deployment scenarios.

Overview

Key Performance Indicators (v0.5.0):

MetricValueCompetitive Position
Stateless Throughput10,200 pps (localhost)Between Nmap (6,600 pps) and Masscan (300K+ pps)
Stateful Throughput6,600 pps (localhost)Comparable to Nmap (~6,000 pps)
Rate Limiter Overhead-1.8% (faster than unlimited)Industry-leading (Nmap: +5-10%)
Service Detection85-90% accuracyNmap-compatible (87-92%)
Memory Footprint<1MB stateless, <100MB/10K hostsEfficient (Nmap: ~50MB/10K hosts)
TLS Parsing1.33μs per certificateFast (production-ready)
IPv6 Overhead~15% vs IPv4Acceptable (larger headers)

Performance Philosophy:

ProRT-IP balances three competing goals:

  1. Speed: Masscan-inspired stateless architecture (10M+ pps capable)
  2. Depth: Nmap-compatible service/OS detection
  3. Safety: Built-in rate limiting, minimal system impact

Throughput Metrics

Stateless Scans (SYN/FIN/NULL/Xmas/ACK)

Localhost Performance (v0.5.0):

ScenarioPortsMean TimeThroughputTarget
SYN Scan1,00098ms10,200 pps<100ms ✅
FIN Scan1,000115ms8,700 pps<120ms ✅
NULL Scan1,000113ms8,850 pps<120ms ✅
Xmas Scan1,000118ms8,470 pps<120ms ✅
ACK Scan1,000105ms9,520 pps<110ms ✅
Small Scan1006.9ms14,490 pps<20ms ✅
All Ports65,5354.8s13,650 pps<5s ✅

Network Performance Factors:

EnvironmentThroughputLimiting Factor
Localhost (127.0.0.1)10-15K ppsKernel processing, socket buffers
LAN (1 Gbps)8-12K ppsNetwork latency (~1ms RTT), switches
LAN (10 Gbps)20-50K ppsCPU bottleneck (packet crafting)
WAN (Internet)1-5K ppsBandwidth (100 Mbps), RTT (20-100ms)
VPN500-2K ppsEncryption overhead, MTU fragmentation

Timing Template Impact:

TemplateRateUse CaseOverhead vs T3
T0 (Paranoid)1-10 ppsIDS evasion, ultra-stealth+50,000%
T1 (Sneaky)10-50 ppsSlow scanning+2,000%
T2 (Polite)50-200 ppsProduction, low impact+500%
T3 (Normal)1-5K ppsDefault, balancedBaseline
T4 (Aggressive)5-10K ppsFast LANs-20%
T5 (Insane)10-50K ppsMaximum speed-40%

Stateful Scans (Connect, Idle)

Connect Scan Performance:

ScenarioPortsMean TimeThroughputNotes
Connect 3 ports345ms66 ppsCommon ports (22,80,443)
Connect 1K ports1,000150ms6,600 ppsFull handshake overhead

Idle Scan Performance:

ScenarioZombie IPAccuracyDurationNotes
Idle 1K portsLocal zombie99.5%1.8s16-probe zombie test + scan
Idle 100 portsRemote zombie98.2%850msNetwork latency factor

Why Connect is Slower:

  • Full TCP 3-way handshake (SYN → SYN-ACK → ACK)
  • Application-layer interaction (banner grab, service probe)
  • Connection tracking overhead (kernel state)

UDP Scans

UDP Performance (ICMP-limited):

ScenarioPortsMean TimeThroughputNotes
UDP 3 ports3 (DNS,SNMP,NTP)250ms12 ppsWait for ICMP unreachable
UDP 100 ports1008-12s10-12 ppsICMP rate limiting (Linux: 200/s)

UDP Challenges:

  1. ICMP Rate Limiting: Linux kernel limits ICMP unreachable to ~200/s
  2. No Response = Open or Filtered: Ambiguity requires retries
  3. 10-100x Slower: Compared to TCP SYN scans

Mitigation Strategies:

  • Focus on known UDP services (DNS:53, SNMP:161, NTP:123)
  • Use protocol-specific probes (DNS query, SNMP GET)
  • Accept longer scan times (UDP is inherently slow)

Latency Metrics

End-to-End Scan Latency

Single Port Scan (p50/p95/p99 percentiles):

Operationp50p95p99Notes
SYN Scan (1 port)3.2ms4.5ms6.1msMinimal overhead
Connect Scan (1 port)8.5ms12.3ms18.7msHandshake latency
Service Detection (1 port)45ms78ms120msProbe matching
OS Fingerprinting (1 host)180ms250ms350ms16-probe sequence
TLS Certificate (1 cert)1.33μs2.1μs3.8μsX.509 parsing only

Component-Level Latency

Packet Operations:

OperationLatencyNotes
Packet Crafting<100μsZero-copy serialization
Checksum Calculation<50μsSIMD-optimized
Socket Send (sendmmsg)<500μsBatch 100-500 packets
Socket Receive (recvmmsg)<1msPoll-based, batch recv

Detection Operations:

OperationLatencyNotes
Regex Matching (banner)<5msCompiled once, lazy_static
Service Probe Matching<20ms187 probes, parallel
OS Signature Matching<50ms2,600+ signatures
TLS Certificate Parsing1.33μsFast X.509 decode

I/O Operations:

OperationLatencyNotes
File Write (JSON)<10msBuffered async I/O
Database Insert (SQLite)<5msBatched transactions (1K/tx)
PCAPNG Write<2msStreaming, no block

Memory Usage

Baseline Memory (No Scan)

ComponentHeapStackTotalNotes
Binary Size--12.4 MBRelease build, stripped
Runtime Baseline2.1 MB8 KB2.1 MBNo scan, idle

Scan Memory Footprint

Stateless Scans (SYN/FIN/NULL/Xmas/ACK):

TargetsPortsMemoryPer-Target OverheadNotes
1 host1,000<1 MB-Packet buffer pool
100 hosts1,0004.2 MB42 KBTarget state tracking
10,000 hosts1,00092 MB9.2 KBEfficient batching

Stateful Scans (Connect):

TargetsPortsMemoryPer-Connection OverheadNotes
1 host1003.5 MB35 KBConnection tracking
100 hosts10018 MB180 KBAsync connection pool
10,000 hosts1065 MB6.5 KBBatch processing

Service Detection Overhead:

ComponentMemoryNotes
Probe Database2.8 MB187 probes, compiled regexes
OS Signature DB4.5 MB2,600+ signatures
Per-Service State~50 KBBanner buffer, probe history

Plugin System Overhead:

ComponentMemoryNotes
Lua VM (base)1.2 MBPer-plugin VM
Plugin Code<500 KBTypical plugin size
Plugin StateVariesUser-defined

Event System Overhead:

ComponentMemoryNotes
Event Bus<200 KBLock-free queue
Event Subscribers<50 KB/subscriberHandler registration
Event LoggingFile-backedStreaming to disk

Memory Optimization

Buffer Pooling:

  • Packet buffers: Pre-allocated pool of 1,500-byte buffers
  • Connection buffers: Reused across connections
  • Reduces allocation overhead: 30-40% faster

Streaming Results:

  • Write results to disk incrementally
  • Don't hold all results in memory
  • Enables internet-scale scans (1M+ targets)

Batch Processing:

  • Process targets in batches (default: 64 hosts)
  • Release memory after batch completion
  • Trade-off: Slight slowdown for memory efficiency

Scaling Characteristics

Small-Scale (1-100 hosts)

Characteristics:

  • Scaling: Linear (O(n × p), n=hosts, p=ports)
  • Bottleneck: Network latency (RTT dominates)
  • Memory: <10 MB (negligible)
  • CPU: 10-20% single core (packet I/O bound)

Optimization Tips:

  • Use timing template T4 or T5
  • Disable rate limiting for local scans
  • Enable parallel host scanning (--max-hostgroup 64)

Medium-Scale (100-10K hosts)

Characteristics:

  • Scaling: Sub-linear (O(n × p / batch_size))
  • Bottleneck: File descriptors (ulimit), memory
  • Memory: 10-100 MB (target state)
  • CPU: 40-60% multi-core (async I/O overhead)

Optimization Tips:

  • Increase ulimit: ulimit -n 65535
  • Enable batch processing: --max-hostgroup 128
  • Use rate limiting: --max-rate 10000
  • Stream to database or file

Large-Scale (10K-1M hosts)

Characteristics:

  • Scaling: Batch-linear (O(n × p / batch_size + batch_overhead))
  • Bottleneck: Bandwidth, rate limiting, disk I/O
  • Memory: 100-500 MB (batch state, result buffering)
  • CPU: 80-100% multi-core (packet crafting, async workers)

Optimization Tips:

  • Mandatory rate limiting: --max-rate 50000 (internet)
  • Large host groups: --max-hostgroup 256
  • Streaming output: --output-file scan.json
  • NUMA optimization: --numa (multi-socket systems)
  • Reduce port count: Focus on critical ports

Internet-Scale Considerations:

FactorImpactMitigation
ISP Rate LimitingScan blockedLower --max-rate to 10-20K pps
IDS/IPS DetectionIP blacklistedUse timing template T2, decoys, fragmentation
ICMP UnreachableUDP scans failRetry logic, increase timeouts
Geo-LatencySlowdownParallelize across regions

Feature Overhead Analysis

Service Detection (-sV)

Overhead Breakdown:

ComponentTimeOverhead vs Baseline
Baseline SYN Scan98ms (1K ports)-
+ Connect Handshake+35ms+36%
+ Banner Grab+12ms+12%
+ Probe Matching+18ms+18%
Total (-sV)163ms+66%

Per-Service Cost:

  • HTTP: ~15ms (single probe)
  • SSH: ~18ms (banner + version probe)
  • MySQL: ~35ms (multi-probe sequence)
  • Unknown: ~50ms (all 187 probes tested)

Optimization:

  • Use --version-intensity 5 (default: 7) for faster scans
  • Focus on known ports (80, 443, 22, 3306, 5432)
  • Enable regex caching (done automatically)

OS Fingerprinting (-O)

Overhead Breakdown:

ComponentTimeOverhead vs Baseline
Baseline SYN Scan98ms (1K ports)-
+ 16 OS Probes+120ms+122%
+ Signature Matching+15ms+15%
Total (-O)233ms+138%

Accuracy vs Speed:

  • Requires both open and closed ports (ideal: 1 open, 1 closed)
  • Accuracy: 75-85% (Nmap-compatible)
  • Use --osscan-limit to skip hosts without detectable OS

IPv6 Overhead (--ipv6 or :: notation)

Overhead Breakdown:

ComponentOverheadReason
Packet Size+40 bytesIPv6 header (40B) vs IPv4 (20B)
Throughput+15%Larger packets, same rate
Memory+10%Larger addresses (128-bit vs 32-bit)

ICMPv6 vs ICMP:

  • ICMPv6 more complex (NDP, router advertisements)
  • Overhead: +20-30% for UDP scans
  • Feature parity: 100% (Sprint 5.1 completion)

TLS Certificate Analysis (--tls-cert-analysis)

Overhead Breakdown:

ComponentTimeOverhead vs HTTPS Scan
HTTPS Connection45msBaseline (TLS handshake)
+ Certificate Download+8msDownload cert chain
+ X.509 Parsing+0.00133msNegligible (1.33μs)
+ Chain Validation+3msVerify signatures
Total56ms+24%

Parsing Performance:

  • 1.33μs per certificate (mean)
  • Handles chains up to 10 certificates
  • SNI support (virtual hosts)

Evasion Techniques

Packet Fragmentation (-f):

ScenarioOverheadReason
SYN Scan+18%Extra packet crafting, 2x packets

Decoy Scanning (-D):

DecoysOverheadTraffic Multiplier
1 decoy+100%2x traffic (1 decoy + 1 real)
3 decoys+300%4x traffic (3 decoys + 1 real)
10 decoys+1000%11x traffic (10 decoys + 1 real)

Source Port Evasion (-g):

TechniqueOverheadEffectiveness
Fixed source port<1%Bypasses simple firewalls
Random source ports0%Default behavior

Event System (Sprint 5.5.3)

Overhead Breakdown:

ScenarioBaselineWith EventsOverhead
SYN 1K ports98ms102ms+4.1%
Connect 100 ports150ms154ms+2.7%

Event Types:

  • Scan start/stop
  • Host discovery
  • Port state change
  • Service detected
  • Error events

Performance Impact:

  • Lock-free event bus: Minimal contention
  • Async event dispatch: Non-blocking
  • Event logging: Buffered I/O (10-20ms flush interval)

Rate Limiting (V3 Adaptive)

Overhead Breakdown (Sprint 5.X optimization):

ScenarioNo Rate LimitWith Rate LimitOverhead
SYN 1K ports99.8ms98.0ms-1.8%
Connect 100151ms149ms-1.3%

Why Faster:

  • Convergence algorithm optimizes system-wide flow
  • Reduces kernel queue overflow
  • Better CPU cache utilization
  • Industry-leading result (Nmap: +5-10%, Masscan: N/A)

Burst Behavior:

  • Burst size: 100 packets (optimal)
  • Convergence: 95% in <500ms
  • Adaptive: ICMP error monitoring

Optimization Guide

System Tuning

File Descriptor Limits:

# Check current limit
ulimit -n

# Increase to 65535 (temporary)
ulimit -n 65535

# Permanent (add to /etc/security/limits.conf)
* soft nofile 65535
* hard nofile 65535

Why: Each connection requires 1 file descriptor. Default limit (1024) insufficient for large scans.

Network Tuning (Linux):

# Increase socket buffer sizes
sysctl -w net.core.rmem_max=26214400
sysctl -w net.core.wmem_max=26214400

# Increase connection backlog
sysctl -w net.core.netdev_max_backlog=5000

# Reduce TIME_WAIT duration (careful!)
sysctl -w net.ipv4.tcp_fin_timeout=15

Why: Larger buffers accommodate high packet rates, reduced TIME_WAIT prevents port exhaustion.

NUMA Optimization (Multi-Socket Systems):

# Check NUMA topology
numactl --hardware

# Run with NUMA optimization
prtip --numa -sS -p 1-65535 192.168.1.0/24

# Or manual binding (advanced)
numactl --cpunodebind=0 --membind=0 prtip -sS ...

Why: Avoids cross-NUMA memory access penalties (30-50% latency penalty).

ProRT-IP Tuning

Timing Templates:

Use CaseTemplateCommand
LocalhostT5 (Insane)prtip -T5 -p 1-1000 127.0.0.1
LANT4 (Aggressive)prtip -T4 -p 1-1000 192.168.1.0/24
InternetT3 (Normal)prtip -T3 -p 80,443 target.com
StealthT2 (Polite)prtip -T2 -p 1-1000 target.com
IDS EvasionT0 (Paranoid)prtip -T0 -p 80,443 target.com

Host Group Sizing:

# Default (64 concurrent hosts)
prtip -sS -p 1-1000 192.168.0.0/16

# Increase for speed (256 concurrent)
prtip --max-hostgroup 256 -sS -p 1-1000 192.168.0.0/16

# Decrease for memory (16 concurrent)
prtip --max-hostgroup 16 -sS -p 1-65535 192.168.0.0/16

Rate Limiting:

# Localhost: Disable (safe)
prtip -sS -p 1-1000 127.0.0.1

# LAN: 50K pps
prtip --max-rate 50000 -sS -p 1-1000 192.168.1.0/24

# Internet: 10K pps (safe)
prtip --max-rate 10000 -sS -p 80,443 target.com/24

# Stealth: 1K pps
prtip --max-rate 1000 -T2 -p 80,443 target.com/24

Performance Checklist

Before Large Scans:

  • Increase ulimit: ulimit -n 65535
  • Set appropriate timing template (T3 for internet, T4 for LAN)
  • Enable rate limiting: --max-rate 10000 (internet)
  • Stream results: --output-file scan.json
  • Test small subset first: -p 80,443 target.com (verify connectivity)
  • Monitor system resources: htop, iotop, iftop

During Scans:

  • Watch for ICMP errors (rate limiting)
  • Monitor packet loss: ifconfig (check RX/TX errors)
  • Check event log for errors: --event-log events.jsonl
  • Verify results incrementally (spot-check)

After Scans:

  • Analyze results for anomalies
  • Check scan duration vs estimate
  • Review error log for issues
  • Archive results: benchmarks/history/

Capacity Planning

How Many Hosts Can I Scan?

Memory-Based Capacity:

Available RAMMax HostsPortsScan TypeNotes
1 GB10,000100SYNMinimal overhead
4 GB50,0001,000SYNTypical desktop
16 GB200,0001,000SYNServer-class
64 GB1,000,000100SYNInternet-scale

Network-Based Capacity:

BandwidthPacket SizeMax PPSHosts/Min (1K ports)
1 Mbps60 bytes2,083 pps2 hosts/min
10 Mbps60 bytes20,833 pps20 hosts/min
100 Mbps60 bytes208,333 pps200 hosts/min
1 Gbps60 bytes2,083,333 pps2,000 hosts/min

Formula:

Hosts/Min = (Bandwidth_bps / (Packet_Size_bytes × 8)) / Ports_per_host

How Long Will My Scan Take?

Estimation Formula:

Duration (sec) = (Hosts × Ports) / Throughput_pps

Example Calculations:

ScenarioHostsPortsThroughputDuration
Home Network101,00010,000 pps1 second
Small Office1001,00010,000 pps10 seconds
Data Center1,00010010,000 pps10 seconds
Internet /24256105,000 pps<1 second
Internet /1665,536105,000 pps131 seconds (~2 min)

Adjust for Features:

FeatureDuration Multiplier
Service Detection (-sV)1.5-2x
OS Fingerprinting (-O)1.3-1.5x
Decoy Scanning (-D 3 decoys)4x
Timing T0 (Paranoid)500x
Timing T2 (Polite)5x
Timing T4 (Aggressive)0.8x
Timing T5 (Insane)0.6x

What Hardware Do I Need?

CPU Requirements:

Scan TypeMin CPURecommended CPUNotes
Stateless (SYN)1 core, 2 GHz4 cores, 3 GHzPacket crafting CPU-bound
Stateful (Connect)2 cores, 2 GHz8 cores, 3 GHzAsync I/O parallelism
Service Detection2 cores, 2 GHz4 cores, 3 GHzRegex matching CPU-bound
Internet-Scale8 cores, 3 GHz16 cores, 3.5 GHzMulti-socket NUMA

RAM Requirements:

Scan ScaleMin RAMRecommended RAMNotes
Small (<100 hosts)512 MB1 GBMinimal overhead
Medium (<10K hosts)1 GB4 GBComfortable buffer
Large (<100K hosts)4 GB16 GBBatch processing
Internet-Scale (1M+)16 GB64 GBStreaming required

Network Requirements:

Scan TypeMin BandwidthRecommended Bandwidth
LocalhostN/AN/A
LAN (1 Gbps)10 Mbps100 Mbps
LAN (10 Gbps)100 Mbps1 Gbps
Internet10 Mbps100 Mbps

Storage Requirements:

Result FormatStorage per HostStorage for 100K Hosts
Text~500 bytes50 MB
JSON~1 KB100 MB
XML (Nmap)~1.5 KB150 MB
PCAPNG~50 KB5 GB
SQLite~800 bytes80 MB

Platform Differences

Linux (Primary Platform)

Advantages:

  • Native sendmmsg/recvmmsg support (fast batching)
  • AF_PACKET sockets (raw packet access)
  • NUMA support (numactl)
  • Best performance: 10-15K pps localhost

Limitations:

  • Requires root/CAP_NET_RAW for raw sockets
  • ICMP rate limiting (200 unreachable/s)

macOS

Advantages:

  • BPF (Berkeley Packet Filter) support
  • Good Nmap compatibility

Limitations:

  • No sendmmsg/recvmmsg (fallback to send/recv loops)
  • Slower: 6-8K pps localhost
  • ChmodBPF required for raw socket access

Windows

Advantages:

  • Npcap library support (WinPcap successor)

Limitations:

  • Slower raw socket access: 4-6K pps
  • FIN/NULL/Xmas scans unsupported (Windows TCP stack limitation)
  • Npcap installation required
  • UAC elevation for raw sockets

Platform Performance Comparison:

PlatformSYN Scan (1K)Connect (100)Notes
Linux98ms150msBest performance
macOS145ms180msBPF overhead
Windows210ms220msNpcap overhead

See Also