Nmap Performance Optimization
Optimizing scan performance is critical for large networks or limited bandwidth environments. Nmap provides various flags to control speed, timeouts, packet rates, and retries.
Timeout Settings
Nmap uses RTT (Round-Trip-Time) to determine how long to wait for responses.
RTT Optimization
sudo nmap <target/24> -F
The above command is known as a default scan.
sudo nmap <target/24> -F --initial-rtt-timeout 50ms --max-rtt-timeout 100ms
The above command is known as a optimized RTT scan.
| Option | Description |
|---|---|
--initial-rtt-timeout |
Sets initial RTT timeout (default: 100ms) |
--max-rtt-timeout |
Sets the max RTT wait time |
Overly short timeouts may cause missed hosts.
Retry Settings
Reduce retries to speed up scans but risk skipping unresponsive ports.
Example
sudo nmap <target/24> -F
The above command is known as a default scan.
sudo nmap <target/24> -F --max-retries 0
The above command is being optimised to give No Retries.
| Option | Description |
|---|---|
--max-retries 0 |
Sends no retry packets if a response is missed |
Packet Rate Control
Controls how many packets Nmap sends per second.
Minimum Packet Rate
sudo nmap <target/24> -F -oN tnet.default
The above command is known as a default scan.
sudo nmap <target/24> -F --min-rate 300 -oN tnet.minrate300
The above command is known as an “Increased Rate Scan”.
| Option | Description |
|---|---|
--min-rate <num> |
Sends at least packets per second |
-oN <file> |
Output results in normal format to the file |
Best used in white-box tests where bandwidth is not restricted.
Timing Templates
Nmap’s timing templates (-T0 to -T5) offer quick ways to adjust scan speed.
| Template | Name | Aggressiveness | Use Case |
|---|---|---|---|
-T0 |
paranoid | 🐢 very slow | IDS evasion |
-T1 |
sneaky | 🐢 slow | stealthier scans |
-T2 |
polite | 🐢 moderate | avoids network congestion |
-T3 |
normal | ⚖️ default | balanced scan (default) |
-T4 |
aggressive | 🚀 fast | quick scans on stable networks |
-T5 |
insane | ⚡ very fast | very quick scans (less reliable) |
Template Example
sudo nmap <target/24> -F tnet.default
The above command is known as a default scan.
sudo nmap <target/24> -F -T5 -oN tnet.T5
The above command is known as an “Insane Speed Scan”.