Timing Templates (-T)

While the fine-grained timing controls discussed in the previous section are powerful and effective, some people find them confusing. Moreover, choosing the appropriate values can sometimes take more time than the scan you are trying to optimize. So Nmap offers a simpler approach, with six timing templates. You can specify them with the -T option and their number (0–5) or their name. The template names are paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5). The first two are for IDS evasion. Polite mode slows down the scan to use less bandwidth and target machine resources. Normal mode is the default and so -T3 does nothing. Aggressive mode speeds scans up by making the assumption that you are on a reasonably fast and reliable network. Finally insane mode assumes that you are on an extraordinarily fast network or are willing to sacrifice some accuracy for speed.

These templates allow the user to specify how aggressive they wish to be, while leaving Nmap to pick the exact timing values. The templates also make some minor speed adjustments for which fine-grained control options do not currently exist. For example, -T4 prohibits the dynamic scan delay from exceeding 10 ms for TCP ports and -T5 caps that value at 5 ms. Templates can be used in combination with fine-grained controls, and the granular options will override the general timing templates for those specific values. I recommend using -T4 when scanning reasonably modern and reliable networks. Keep that option (at the beginning of the command line) even when you add fine-grained controls so that you benefit from those extra minor optimizations that it enables.

Table 6.3 shows how the timing variables vary for each -T value. All time values are in milliseconds.

Table 6.3. Timing templates and their effects
min-rtt-timeout100 ms100 ms100 ms100 ms100 ms50 ms
max-rtt-timeout5 minutes15 seconds10 seconds10 seconds1250 ms300 ms
initial-rtt-timeout5 minutes15 seconds1 second1 second500 ms250 ms
Initial (and minimum) scan delay (--scan-delay)5 minutes15 seconds400 ms000
Maximum TCP scan delay5 minutes15,0001 second1 second10 ms5 ms
Maximum UDP scan delay5 minutes15 seconds1 second1 second1 second1 second
host-timeout0000015 minutes
script-timeout0000010 minutes
min-parallelismDynamic, not affected by timing templates
min-hostgroupDynamic, not affected by timing templates
max-hostgroupDynamic, not affected by timing templates
min-rateNo minimum rate limit
max-rateNo maximum rate limit
defeat-rst-ratelimitNot enabled by default

If you are on a decent broadband or ethernet connection, I would recommend always using -T4. Some people love -T5 though it is too aggressive for my taste. People sometimes specify -T2 because they think it is less likely to crash hosts or because they consider themselves to be polite in general. They often don't realize just how slow -T polite really is. They scan may take ten times longer than a default scan. Machine crashes and bandwidth problems are rare with the default timing options (-T3) and so I normally recommend that for cautious scanners. Omitting version detection is far more effective than playing with timing values for reducing these problems.

While -T0 and -T1 may be useful for avoiding IDS alerts, they will take an extraordinarily long time to scan thousands of machines or ports. For such a long scan, you may prefer to set the exact timing values you need rather than rely on the canned -T0 and -T1 values.