Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Hackers: Re: Timeout

Re: Timeout

From: Fyodor <fyodor_at_dhp.com>
Date: Sun, 19 Sep 1999 22:34:42 -0400 (EDT)

On Sat, 18 Sep 1999, Lance Spitzner wrote:

> why this happens. However, it would be great to have
> a "-t" option where you can set in seconds a time limit
> per IP. Any suggestion or recommendations on how to
> approach this?

Oh, allright :). Due to popular demand, I have added sophisticated timing
control to Nmap. This allows you to set more aggressive timeouts (on a
per-machine or per-probe basis) for greater speed. Or you can specify a
"polite" scan to reduce network load and lower the probability of crashing
systems. You can even demand that Nmap go VERY slow so you can do a
several-day scan and stay below the radar of intrusion detection
systems. You can choose one of 6 "canned" timing modes, or you can use
new command-line options to roll your own behavior.

That is the summary. Here is the new man page section which gives more
complete details:

       TIMING OPTIONS
              Generally Nmap does a good job at adjusting for
              Network characteristics at runtime and scanning as
              fast as possible while minimizing that chances of
              hosts/ports going undetected. However, there are
              same cases where Nmap's default timing policy may
              not meet your objectives. The following options
              provide a fine level of control over the scan tim-
              ing:

       -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane>
              These are canned timing policies for conveniently
              expressing your priorities to Nmap. Paranoid mode
              scans very slowly in the hopes of avoiding detec-
              tion by IDS systems. It serializes all scans (no
              parallel scanning) and generally waits at least 5
              minutes between sending packets. Sneaky is simi-
              lar, except it only waits 15 seconds between send-
              ing packets. Polite is meant to ease load on the
              network and reduce the chances of crashing
              machines. It serializes the probes and waits at
              least 0.4 seconds between them. Normal is the
              default Nmap behaviour, which tries to run as
              quickly as possible without overloading the network
              or missing hosts/ports. Aggressive mode adds a 5
              minute timeout per host and it never waits more
              than 1.25 seconds for probe responses. Insane is
              only suitable for very fast networks or where you
              don't mind losing some information. It times out
              hosts in 75 seconds and only waits 0.3 seconds for
              individual probes. It does allow for very quick
              network sweeps though :). You can also reference
              these by number (0-5). For example, '-T 0' gives
              you Paranoid mode and '-T 5' is Insane mode.

              These canned timing modes should NOT be used in
              combination with the lower level controls given
              below.

       --host_timeout <milliseconds>
              Specifies the amount of time Nmap is allowed to
              spend scanning a single host before giving up on
              that IP. The default timing mode has no host time-
              out.

       --max_rtt_timeout <milliseconds>
              Specifies the maximum amount of time Nmap is
              allowed to wait for a probe response before
              retransmitting or timing out that particular probe.
              The default mode sets this to about 9000.

       --initial_rtt_timeout <milliseconds>
              Specifies the initial probe timeout. This is gen-
              erally only useful when scanning firwalled hosts
              with -P0. Normally Nmap can obtain good RTT esti-
              mates from the ping and the first few probes. The
              default mode uses 6000.

       --max_parallelism <number>
              Specifies the maximum number of scans Nmap is
              allowed to perform in parallel. Setting this to
              one means Nmap will never try to scan more than 1
              port at a time. It also effects other parallel
              scans such as ping sweep, RPC scan, etc.

       --scan_delay <milliseconds>
              Specifies the minimum amount of time Nmap must wait
              between probes. This is mostly useful to reduce
              network load or to slow the scan way down to sneak
              under IDS thresholds.

Adding all this new timing functionality required changes in many parts of
Nmap. Please try it out and tell me if I broke anything :). Also I would
be happy to hear suggestions for improving the timing interface or
problems with the way it works now.

I'll send release notes for the new beta in a few minutes.

Cheers,
Fyodor 

--
Fyodor                            'finger pgp_at_pgp.insecure.org | pgp -fka'
Frustrated by firewalls?          Try nmap: http://www.insecure.org/nmap/
"Be thankful you are not my student.  You would not get a high grade for
 such a design :-) ... Writing a new OS only for the 386 in 1991 gets you
 your second 'F' for this term" 
 -- Minix author/professor Andrew Tanenbaum to Linus Torvalds (Jan '92)
Received on Sep 19 1999
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]