Low-Level Timing Controls
Nmap offers many fine-grained options for controlling scan speed. Most people use these options to speed Nmap up, but they can also be useful for slowing Nmap down. People do that to evade IDS systems, reduce network load, or even improve accuracy if network conditions are so bad that even Nmap's conservative default is too aggressive.
Table 6.2 lists each low-level timing control option by function. For detailed usage information on every option, read the section called “Timing and Performance”. It is assumed that the reader is already familiar with the Nmap scanning algorithms described in the section called “Scan Code and Algorithms”.
Table 6.2. Low-level timing controls by function
| Function | Options |
|---|---|
| Hostgroup (batch of hosts scanned concurrently) size | --min-hostgroup, --max-hostgroup |
| Number of probes launched in parallel | --min-parallelism, --max-parallelism |
| Probe timeout values | --min-rtt-timeout, --max-rtt-timeout, --initial-rtt-timeout |
| Maximum number of probe retransmissions allowed | --max-retries |
| Maximum time before giving up on a whole host | --host-timeout |
| Control delay inserted between each probe against an individual host | --scan-delay, --max-scan-delay |
| Rate of probe packets sent per second | --min-rate, --max-rate |
| Defeat RST packet response rate by target hosts | --defeat-rst-ratelimit |