Scanning Performance

Introduction

Scanning performance plays a significant role when we need to scan an extensive network or are dealing with low network bandwidth.
We can use various options to tell Nmap
- How fast (-T <0-5>)
- With which frequency (--min-parallelism <Number>)
- Which timeouts (--max-rtt-timeout <Time> ) the test packets should have
- How many packets should be sent simultaneously (--min-rate <Number> )
- Number of retries (--max-retries <Number>) for the scanned ports the targets should be scanned.

Time-outs

When Nmap sends a packet, it takes some time (Round-Trip-Time - RTT) to receive a response from the scanned port. Generally, Nmap starts with a high timeout (--min-RTT-timeout) of 100ms.
The less the RTT, the faster the scan.
Example: sudo nmap 10.129.2.0/24 -F --initial-rtt-timeout 50ms --max-rtt-timeout 100ms
However, we must take care that that setting the initial RTT timeout (--initial-rtt-timeout) to too short a time period may cause us to overlook hosts.

Max Retries

Another way to increase the scans' speed is to specify the retry rate of the sent packets (--max-retries).
The default value for the retry rate is 10, so if Nmap does not receive a response for a port, it will not send any more packets to the port and will be skipped.
Example: sudo nmap 10.129.2.0/24 -F --max-retries 0

Rate

If we know the network bandwidth, we can work with the rate of packets sent, which significantly speeds up our scans with Nmap.
When setting the minimum rate (--min-rate) for sending packets, we tell Nmap to simultaneously send the specified number of packets.
Example: sudo nmap 10.129.2.0/24 -F -oN tnet.minrate300 --min-rate 300

Timing

Nmap offers six different timing templates (-T <0-5>) for us to use.
The timing templates adjust the values discussed earlier alongside other values to provide us with a timing template (Details: https://nmap.org/book/performance-timing-templates.html)
These values (0-5) determine the aggressiveness of our scans.
The default timing template used when we have defined nothing else is the normal (-T 3).
Timing options:
- -T 0 / -T paranoid
- -T 1 / -T sneaky
- -T 2 / -T polite
- -T 3 / -T normal
- -T 4 / -T aggressive
- -T 5 / -T insane

PreviousNmap Scripting Engine NextFirewall and IDS/IPS Evasion

Last updated 3 months ago

Introduction

Scanning performance plays a significant role when we need to scan an extensive network or are dealing with low network bandwidth.

We can use various options to tell Nmap

How fast (-T <0-5>)
With which frequency (--min-parallelism <Number>)
Which timeouts (--max-rtt-timeout <Time> ) the test packets should have
How many packets should be sent simultaneously (--min-rate <Number> )
Number of retries (--max-retries <Number>) for the scanned ports the targets should be scanned.

Time-outs

When Nmap sends a packet, it takes some time (Round-Trip-Time - RTT) to receive a response from the scanned port. Generally, Nmap starts with a high timeout (--min-RTT-timeout) of 100ms.

The less the RTT, the faster the scan.

Example: sudo nmap 10.129.2.0/24 -F --initial-rtt-timeout 50ms --max-rtt-timeout 100ms

However, we must take care that that setting the initial RTT timeout (--initial-rtt-timeout) to too short a time period may cause us to overlook hosts.

Max Retries

Another way to increase the scans' speed is to specify the retry rate of the sent packets (--max-retries).

The default value for the retry rate is 10, so if Nmap does not receive a response for a port, it will not send any more packets to the port and will be skipped.

Example: sudo nmap 10.129.2.0/24 -F --max-retries 0

Rate

If we know the network bandwidth, we can work with the rate of packets sent, which significantly speeds up our scans with Nmap.

When setting the minimum rate (--min-rate) for sending packets, we tell Nmap to simultaneously send the specified number of packets.

Example: sudo nmap 10.129.2.0/24 -F -oN tnet.minrate300 --min-rate 300

Timing

Nmap offers six different timing templates (-T <0-5>) for us to use.

The timing templates adjust the values discussed earlier alongside other values to provide us with a timing template (Details: https://nmap.org/book/performance-timing-templates.html)

These values (0-5) determine the aggressiveness of our scans.

The default timing template used when we have defined nothing else is the normal (-T 3).

Timing options:

-T 0 / -T paranoid
-T 1 / -T sneaky
-T 2 / -T polite
-T 3 / -T normal
-T 4 / -T aggressive
-T 5 / -T insane