Low-Level Timing Controls

Nmap offers many fine-grained options for controlling scan speed. Most people use these options to speed Nmap up, but they can also be useful for slowing Nmap down. People do that to evade IDS systems, reduce network load, or even improve accuracy if network conditions are so bad that even Nmap's conservative default is too aggressive.

Table 6.2 lists each low-level timing control option by function. For detailed usage information on every option, read the section called “Timing and Performance”. It is assumed that the reader is already familiar with the Nmap scanning algorithms described in the section called “Scan Code and Algorithms”.

Table 6.2. Low-level timing controls by function
Hostgroup (batch of hosts scanned concurrently) size--min-hostgroup, --max-hostgroup
Number of probes launched in parallel--min-parallelism, --max-parallelism
Probe timeout values--min-rtt-timeout, --max-rtt-timeout, --initial-rtt-timeout
Maximum number of probe retransmissions allowed--max-retries
Maximum time before giving up on a whole host--host-timeout
Control delay inserted between each probe against an individual host--scan-delay, --max-scan-delay
Rate of probe packets sent per second--min-rate, --max-rate
Defeat RST packet response rate by target hosts--defeat-rst-ratelimit