Performance options in Nmap control how aggressively the tool scans a target, and they are important when dealing with large networks, time constraints, or when attempting to evade detection.
-T Timing Template
The -T option defines the timing template, which adjusts how aggressive or slow the scan will be. It’s a simple way to control scan speed. The values range from 0 (slowest) to 5 (fastest).
nmap -T4 192.168.1.10Key points
-T0: Extremely slow, used for stealth (great for IDS evasion).-T1: Slow scan, useful for avoiding detection.-T2: Polite scan, good for network-sensitive environments.-T3: Normal scan, default behavior.-T4: Aggressive scan, faster.-T5: Insane speed, may trigger alerts and be less accurate.
--min-rate and --max-rate
The --min-rate and --max-rate options allow you to set the minimum and maximum rate of packets sent during a scan. This helps control the scan’s speed without using the preset timing templates.
nmap --min-rate 1000 192.168.1.10 # Minimum packets per second
nmap --max-rate 5000 192.168.1.10 # Maximum packets per secondKey points
--min-rate: Sets the minimum number of packets Nmap should send per second.--max-rate: Sets the maximum number of packets Nmap will send per second.- These options help balance between performance and resource usage.
--initial-rtt-timeout and --max-rtt-timeout
These options control how Nmap handles timeouts when receiving responses from hosts. --initial-rtt-timeout sets the timeout for the first probe, while --max-rtt-timeout limits the maximum allowed timeout.
nmap --initial-rtt-timeout 500ms --max-rtt-timeout 1000ms 192.168.1.10Key points
--initial-rtt-timeout: Sets the timeout for the first probe (initial round-trip time).--max-rtt-timeout: Limits the maximum round-trip time allowed.- Use these when scanning remote hosts with varying network conditions to control scan timeouts.
--host-timeout
The --host-timeout option allows you to set a maximum amount of time Nmap will spend on scanning a single host. After this time, Nmap will stop scanning the host.
nmap --host-timeout 30m 192.168.1.10Key points
- Sets the timeout for scanning an individual host.
- If a host exceeds this time, Nmap will skip it.
- Useful for large networks where some hosts may be slow to respond.
--max-retries
The --max-retries option specifies how many times Nmap should retry a probe if it doesn’t get a response. Reducing retries speeds up scans, but may decrease accuracy.
nmap --max-retries 2 192.168.1.10Key points
--max-retries: Limits the number of retries for each probe.- Reducing retries increases scan speed but may result in missed responses.
--scan-delay and --min-rate
You can adjust the delay between probes using --scan-delay, which is useful when trying to avoid detection or not overload the target system.
nmap --scan-delay 1s 192.168.1.10Key points
--scan-delay: Introduces a delay between probes to reduce the chances of triggering an alert on the target.- Reduces the rate of scan but may improve stealth.
Performance Option Comparison
| Option | What It Does | Best For |
|---|---|---|
-T | Controls the scan speed (timing template) | Quick vs. stealthy scans |
--min-rate | Sets minimum packets per second | Managing scan speed, avoiding network overload |
--max-rate | Sets maximum packets per second | Controlling scan speed and resource usage |
--initial-rtt-timeout | Sets initial timeout for probes | Fine-tuning responses based on network conditions |
--max-rtt-timeout | Limits maximum round-trip time timeout | Managing slower responses from remote hosts |
--host-timeout | Sets the maximum time per host scan | Large networks with varying host response times |
--max-retries | Limits retries for probes | Speeding up scans, at the cost of accuracy |
--scan-delay | Adds delay between probes | Stealthy scans, evading detection |