Script qscan

Script types: hostrule
Categories: safe, discovery

Script Summary

Repeatedly probe open and/or closed ports on a host to obtain a series of round-trip time values for each port. These values are used to group collections of ports which are statistically different from other groups. Ports being in different groups (or "families") may be due to network mechanisms such as port forwarding to machines behind a NAT.

In order to group these ports into different families, some statistical values must be computed. Among these values are the mean and standard deviation of the round-trip times for each port. Once all of the times have been recorded and these values have been computed, the Student's t-test is used to test the statistical significance of the differences between each port's data. Ports which have round-trip times that are statistically the same are grouped together in the same family.

This script is based on Doug Hoyte's Qscan documentation and patches for Nmap.

Script Arguments


Maximum number of closed ports to probe (default 1). A negative number disables the limit.


Maximum number of open ports to probe (default 8). A negative number disables the limit.


Confidence level: 0.75, 0.9, 0.95, 0.975, 0.99, 0.995, or 0.9995.


Number of round-trip times to try to get.


Average delay between packet sends. This is a number followed by ms for milliseconds or s for seconds. (m and h are also supported but are too long for timeouts.) The actual delay will randomly vary between 50% and 150% of the time specified. Default: 200ms.

Example Usage

nmap --script qscan --script-args qscan.confidence=0.95,qscan.delay=200ms,qscan.numtrips=10 target

Script Output

| qscan:
| 21    0       2082.70    460.72  0.0%
| 22    0       2211.70    886.69  0.0%
| 23    1       4631.90    606.67  0.0%
| 24    0       1922.40    336.90  0.0%
| 25    0       2017.30    404.31  0.0%
| 80    1       4180.80    856.98  0.0%
|_443   0       2013.30    368.91  0.0%



  • Kris Katterjohn

License: Same as Nmap--See