After some investigation, I realized that the hit-rates ZMap sees vary depending on TCP options. Sending options exactly as the major OS's send offers a consistent, measurable improvement in hit-rate. Of these, Windows-style packets are the smallest by 8 bytes.
I ran 3 trials over 10% of the IPv4 space and found median hit rates on port 80:
TCP Options Style
Hit-rate
Size of Packet
Max. Packets-per-Second (millions)
No TCP options
1.305%.
46
1.488
Windows
1.331%
52
1.389
smallest-probes
1.328%
46
1.488
Linux-style.
1.330%.
60
1.276
Based on this, I think using a default of windows would offer the best accuracy with least impact on performance. smallest-probes is added in case a small penalty to accuracy is acceptable to chase the highest performance. The reason both smallest-probes (using MSS) and no options are the same size is that the minimum Ethernet payload is 46 bytes, so anything smaller is just padded.
Testing
Confirmed with tcpdump that the default behavior is using windows and smallest-probes is only sending MSS.
After some investigation, I realized that the hit-rates ZMap sees vary depending on TCP options. Sending options exactly as the major OS's send offers a consistent, measurable improvement in hit-rate. Of these, Windows-style packets are the smallest by 8 bytes.
I ran 3 trials over 10% of the IPv4 space and found median hit rates on port 80:
Based on this, I think using a default of
windowswould offer the best accuracy with least impact on performance.smallest-probesis added in case a small penalty to accuracy is acceptable to chase the highest performance. The reason bothsmallest-probes(using MSS) andno optionsare the same size is that the minimum Ethernet payload is 46 bytes, so anything smaller is just padded.Testing
Confirmed with
tcpdumpthat the default behavior is usingwindowsandsmallest-probesis only sending MSS.