Skip to content

FAQ

Jump to bottom Edit New page
Phillip Stephens edited this page Jan 29, 2024 · 2 revisions

Q: Can multiple ZMap scans be run in parallel?

A: While ZMap does use a unique value per-host to determine what traffic is in response to a scan it initialized (and not background traffic/noise), it's not advised to run multiple scans on the same machine due to resource contention concerns.

Q: Will ZMap TCP SYN scans interfere with the OS's TCP stack?

A: ZMap's TCP SYN packets shouldn't interfere with the OS stack. We have our own internal network stack, but if there's a normal TCP connection, it'll just look like a spurious packet and both sides will ignore the other.

Q: Why is there such high CPU utilization with ZMap?

A: ZMap will start 1 thread for receiving packets, 1 for monitoring the overall state of the scan, and T for sending packets (default is min(4, number of cores on host), can be overridden with -T 8 or --sender-threads=8). By default, the threads are pinned to different cores to minimize CPU contention. The sending threads have by far the most work to do and will tend towards maxing out the core as they attempt to send packets as fast as the NIC will support. If you need to reduce the CPU load on your machine, lower the --sender-threads.

Add a custom footer
  1. Home
  2. Getting Started Guide
  3. Scanning Best Practices
  4. Installing ZMap
  5. Global Options
    1. Rate Limiting and Sampling
    2. Block and Allow Lists
    3. Results Output
    4. Verbosity and Metadata
    5. Sending Multiple Probes
  6. Probe Modules
    1. TCP SYN Probe Module
    2. ICMP Echo Probe Module
    3. UDP Probe Module
  7. Extending ZMap
    1. Sample Applications
    2. Writing Modules
  8. FAQ
Clone this wiki locally