15 NMAP Timing Options – When And How To Use Them

Understanding NMAP timing options is essential in planning a proper scanning strategy for ethical hacking and penetration testing purposes – especially when the time window for performing a scan is limited or looking to evade intrusion detection mechanisms in a network.

In this NMAP tutorial, we will take a closer look at NMAP timing options [flags], when and how to use them.

Before we start, I strongly recommend you not to pick up random targets on the Internet to practice this guide. Instead, take one hour to set up your own virtual hacking lab with Kali Linux with VirtualBox on your own computer for free, and stay on the safe side until you become an expert. 

Alternatively, you can install NMAP on your own operating system by following the NMAP installation guide for Windows, macOS, Linux, and UNIX guide. You can choose to practice this tutorial by scanning the ports on your own computer – you may need to find your IP address first. 

And with that out of the way, let’s get to started.

What Are NMAP Timing Options?

The scan output accuracy is directly influenced by NMAP timing options set for a specific scan. For instance, when scanning a large number of targets on a fast network such as a Local Area Network [LAN], we can increase the number of parallel operations performed by NMAP to get faster results. 

On the other hand, when scanning targets across the Internet, it is advisable to slow down a scan to avoid triggering various intrusion detection mechanisms and get more accurate scan results. 

Table 1.1 below shows a summary of all NMAP timing options we are going to cover in this tutorial.

DescriptionOption [flag]
Timing Templates -T[0-5] 
Set the Packet Time To Live [TTL] –ttl
Minimum # of Parallel Operations –min-parallelism 
Maximum # of Parallel Operations –max-parallelism 
Minimum Host Group Size –min-hostgroup 
Maximum Host Group Size –max-hostgroup 
Maximum RTT Timeout –max-rtt-timeout
Initial RTT Timeout –initial-rtt-timeout 
Maximum Retries –max-retries 
Host Timeout –host-timeout 
Minimum Scan Delay –scan-delay 
Maximum Scan Delay–max-scan-delay 
Minimum Packet Rate –min-rate 
Maximum Packet Rate –max-rate
Defeat Reset Rate Limits –defeat-rst-ratelimit
Table 1.1: NMAP Timing Options

NMAP Timing Unit Flags

By default, NMAP executes time units in seconds. However, by applying a qualifier to the timing flag, we can instruct NMAP to accept timing units in milliseconds, minutes, or hours – as seen in Table 1.2 below.

FlagDefinitionTime UnitFlag
(none)Milliseconds (1/1000 of a second)60000 milliseconds60000ms
sSeconds60 seconds60s
mMinutes1 minutes1m
hHours1 hour1h
Table 1.2: NMAP time specification flags

 For example, we can instruct NMAP to scan a target for a 1 minute before aborting using the –host-timeout option as shown below:

nmap – host-timeout 60000 192.168.130.132

The above command can be also executed as:

nmap – host-timeout 60s 192.168.130.132

Or:

nmap – host-timeout 1m 192.168.130.132

All the above commands will produce the same output as 60000 = 60s = 1m.

To understand the importance of setting up a proper time unit when running NMAP, let’s run the above command on a target in a fast network such as LAN [Figure 1.1].

NMAP Timing Options: Example of NMAP scan with time unit set to 60000ms. Source: nudesystems.com
Figure 1.1: NMAP Timing Options – NMAP scan with time unit set to 60000ms.

The NMAP scan for the target in Figure 1.1 was completed in 4.67 seconds, way below the abortion limit of 60 seconds we set. 

Let’s run the same command on a target located on the Internet [Figure 1.2].

NMAP Timing Options: Example of NMAP scan with time unit set to 60000ms on Internet target. Source: nudesystems.com
Figure 1.2: Example of NMAP scan with time unit set to 60000ms [=60 seconds = 1 minute].

As seen in Figure 1.2, the NMAP scan time unit of 60 seconds was not sufficient to complete the scan for scanme.nmap.org. Let’s set the time unit to 10 minutes [10m] and check the results [Figure 1.3

But we don’t have to guess the correct timing unit. NMAP comes with ready-made timing templates to suit any scanning scenario.

NMAP Timing Templates

Flag: -T

Syntax: nmap -T[Template No.] [Target]

Description: Specify an NMAP timing template for a scan. 

Think of NMAP timing templates as shortcuts for different timing options. 

NMAP provides six templates [0 to 5] we can use to slow down scanning [evade firewalls] or speed up [get faster results] – depending on the scanning scenario, as seen in Table 1.3 below.

NMAP Timing TemplateNameDescription
-T0Paranoid scanA very slow scan
-T1Sneaky scanExcellent for avoiding firewalls
-T2Polite scanUnlikely to interfere with the target system
-T3Normal scanThe default NMAP timing template
-T4Aggressive scanProvides faster results on LANs
-T5Insane scanA fast aggressive scan
Table 1.3: NMAP Timing Templates

Figure 1.3 shows an example of aggressive scan [T4] on a target located in a local network. 

NMAP Timing Options: Example of NMAP aggressive scan. Source: nudesystems.com
Figure 1.3: NMAP Timing Options – Example of NMAP aggressive scan

Minimum Parallel Operations In NMAP

Flag: –min-parallelism

Syntax: nmap –min-parallelism [Number] [Target] 

Description: Specify the minimum number of parallel port scans NMAP should perform during a scan.

The number of parallel operations is set automatically by NMAP during a scan, based on the target’s network conditions. However, in some rare cases we can instruct NMAP to perform a specific minimum number of parallel operations [Figure 1.4].

NMAP Timing Options: Example of NMAP 8 parallel port scan operation. Source: nudesystems.com
Figure 1.3: NMAP Timing Options – Example of NMAP 8 parallel port scan operations.

In Figure 1.3 we instructed NMAP to perform 8 parallel operations for a target and the scan was completed in 5.18 seconds. Let’s instruct NMAP to perform 100 parallel operations for the same target and see the results [Figure 1.4].

NMAP Timing Options: Example of NMAP with minimum 100 parallel port scan operations. Source: nudesystems.com
Figure 1.4: Example of NMAP with minimum 100 parallel port scan operations.

In Figure 1.4 we instructed NMAP to perform a scan using 100 parallel operations. The target was scanned in 3.29 seconds – less time than the scan on Figure 1.3 of the same target. 

As we see, the number of NMAP parallel operations can impact the performance of a scan. However, setting the –min-parallelism qualifier too high, may produce inaccurate scanning results. 

Maximum Parallel Operations In NMAP

Flag: –max-parallelism

Syntax: nmap –max-parallelism [Number] [Target] 

Description: Specify the maximum number of parallel port scans NMAP can perform during a scan.

This option will limit NMAP to a maximum number of parallel operations during a scan. One reason to use this option is to avoid NMAP flooding a target with packets by performing a slower scan [Figure 1.5].

NMAP Timing Options: Example of NMAP with maximum 1 parallel port scan operation. Source: nudesystems.com
Figure 1.5: Example of NMAP with maximum 1 parallel port scan operation.

In Figure 1.5 we instructed NMAP to allow a maximum of 1 parallel operation and the scan completed in 202.1 seconds – considerably slower than previous scans on the same target.

Minimum Host Group Size In NMAP

Flag: –min-hostgroup

Syntax: nmap –min-hostgroup [Number] [Targets] 

Description: Perform parallel scans on multiple targets to save time.

When performing a scan for a range of targets or the entire subnet, we can instruct NMAP to scan multiple targets at once to save time. 

By default, NMAP will automatically adjust the size of the group scanned based on the network conditions and type of scan performed. 

The –min-hostgroup option will instruct NMAP to keep the group size scanned above a specific number [Figure 1.6].

NMAP Timing Options: Example of NMAP Minimum Host Group Size. Source: nudesystems.com
 Figure 1.6: NMAP Timing Options – Example Minimum Host Group Size.

Maximum Host Group Size In NMAP

Flag: –max-hostgroup

Syntax: nmap –max-hostgroup [Number] [Targets] 

Description: Perform parallel scans on multiple targets to save time.

The maximum host group size option instructs NMAP to control the number of hosts in a group under a specified number. This scanning option is useful when looking to avoid detection when scanning secured networks with firewalls [Figure 1.7]. 

NMAP Timing Options: Example of NMAP scan with 15 maximum host group size. Source: nudesystems.com
Figure 1.6: Example of NMAP scan with 15 maximum host group size.

Initial RTT Timeout In NMAP

Flag: –initial-rtt-timeout

Syntax: nmap –initial-rtt-timeout [Time] [Target] 

Description: Controls the initial Round-Trip Time [RTT] timeout value of packet response NMAP.

The –initial-rtt-timeout for a normal NMAP scan [-T3] has a default timing value of 1 second. 

We can increase the NMAP intital RTT timeout value to avoid timeouts due to packet retransmission. In contrast, we can decrease the RTT timeout value to improve the scanning time. 

NOTE:  keep in mind that setting an RTT value too low can produce inaccurate scanning results.

NMAP Timing Options: Example of NMAP scan with 5 seconds RTT timeout value. Source: nudesystems.com
Figure 1.7: NMAP Timing Options – Example of scan with 5 seconds RTT timeout value.

Maximum RTT Timeout In NMAP

Flag: –max-rtt-timeout

Syntax: nmap –max-rtt-timeout [Time] [Target] 

Description: Controls the maximum Round-Trip Time [RTT] timeout value packet response in an NMAP scan.

The maximum RTT timeout is another timing parameter that NMAP automatically adjusts during a scan. However, in some situations, such as NMAP giving up a scan due to slow connection, we can adjust the maximum RTT timeout parameter to fit our scanning scenario [Figure 1.8]. 

NMAP Timing Options: Example of NMAP maximum Round-Trip Time option. Source: nudesystems.com
Figure 1.8: NMAP Timing Options – Example of maximum Round-Trip Time option.

NOTE: The default maximum RTT timeout in NMAP is 10 seconds. The usual values used for maximum RTT timeout are between 1 second [1s] to 100 seconds [100s]. 

Maximum Retries In NMAP

Flag: –max-retries

Syntax: nmap –max-retries [Number] [Target] 

Description: Controls the maximum number of probe retransmissions performed by NMAP during a scan. 

The maximum retries number is a parameter adjusted automatically by NMAP during a scan. As in the previou examples, we can instruct NMAP to use a value more suitable to our scenario [Figure 1.9].

For instance, we can use the –max-retries option, when we are troubleshooting a network connectivity issue. 

A higher maximum retries value will produce more accurate results but will take longer for the scan to complete. Lowering the maximum retries value will speed up a scan and allow NMAP to give up too soon, therefore, affecting the scan output.

NMAP Timing Options: Example of NMAP maximum retries option. Source: nudesystems.com
Figure 1.9: Example of NMAP maximum retries option.

Set Packet Time To Live In NMAP

Flag: –ttl

Syntax: nmap –ttl [Time] [Target] 

Description: Specifies the Time To Live parameter in the packet header for an NMAP scan.

In the IP context, the Time To Live [TTL] is a mechanism located in the IP header that contains an 8-bit field indicating how many hops in a packet can pass through in a network before being dropped. 

In a slow network, the packets sent to a destination may time-out before receiving a response from the target machine. 

NMAP allows us to adjust the TTL parameter to avoid time-outs when scanning targets in a slow network [Figure 1.10].

NMAP Timing Options: NMAP timing options for Time To Live option. Source: nudesystems.com
Figure 1.10: NMAP timing options for Time To Live option.

Host Timeout In NMAP

Flag: –host-timeout

Syntax: nmap –host-timeout [Time] [Targets] 

Description: Instruct NMAP to stop scanning a host(s) after a given time.

In some scanning scenarios, it may be useful to abort a target if the response has many time-outs due to slow or unreliable network conditions or rate-limiting firewalls. 

The host timeout option instructs NMAP to stop scanning a target if the scan is not completed in a given time for that specific target. 

For instance, in Figure 1.11, we performed a scan on a target located on the Internet, and we instructed NMAP to stop the scanning process if not completed in 2 minutes [2m].

NMAP Timing Options: NMAP timing options for Host Timeout option. Source: nudesystems.com
Figure 1.11: NMAP timing options for Host Timeout option.

In Figure 1.12 we instruct NMAP to scan a given IP range and allow 30 seconds [30s] per host scanned before it stops the process. 

When scanning multiple targets, NMAP will perform parallel scanning even if a target requires a longer time to respond. 

NOTE: When using the –host-timeout option, no results will be displayed by NMAP if a target exceeds the timeout value.

NMAP Timing Options: NMAP timing options for Host Timeout option [multi-target scan]. Source: nudesystems.com
Figure 1.12: NMAP timing options for Host Timeout option [multi-target scan]

Minimum Scan Delay In NMAP

Flag: –scan-delay

Syntax: nmap –scan-delay [Time] [Target] 

Description: Instructs NMAP to pause a specified time between probes when scanning a target.

The minimum scan delay parameter instructs NMAP to take a break between probes for a specified time interval to evade rate limiting configurations on some target systems.

By default, NMAP is equipped to detect rate limiting on targets and automatically adjust the scan delay parameter. 

However, in some situations – when we know a network uses Intrusion Detection Systems [IDS] or rate limiting configurations, we can specify this parameter manually. Take note that even a low minimum scan delay can dramatically slow down the scanning process [Figure 1.13].

NMAP Timing Options: NMAP timing options for minimum scan delay option. Source: nudesystems.com
Figure 1.13: NMAP timing options for minimum scan delay option.

Maximum Scan Delay In NMAP

Flag: –max-scan-delay

Syntax: nmap –max-scan-delay [Time] [Target] 

Description: Instructs NMAP to wait a specified maximum amount of time between probes when scanning a target.

The maximum scan delay option instructs NMAP to use an upper time limit between probes to speed up a scan [Figure 1.14]. 

As in previous examples, setting an inadequate –max-scan-delay value can affect the accuracy of the scan output. 

NMAP Timing Options: NMAP timing options for Maximum Scan Delay option. Source: nudesystems.com
Figure 1.13: NMAP timing options for Maximum Scan Delay option.

Minimum Packet Rate In NMAP

Flag: –min-rate

Syntax: nmap –min-rate [Number] [Target] 

Description: Instructs NMAP to scan a target by sending a specified number of packets per second.

The minimum packet rate is automatically adjusted by NMAP when the –min-rate timing option is not specified. 

For instance, we can instruct NMAP to send a minimum of 20 packets per second. However, if the network conditions are favorable, NMAP may perform the scan faster and use the specified minimum packet rate value as a low threshold [Figure 1.14]. 

NOTE: Setting up a value for minimum packet rate to high may affect the accuracy of the scan output results.

NMAP Timing Options: NMAP timing options for Defeat RST Rate Limits. Source: nudesystems.com
Figure 1.14: NMAP timing options for Minimum Packet Rate option.

Maximum Packet Rate 

Flag: –max-rate

Syntax: nmap –max-rate [Number] [Target] 

Description: Instructs NMAP to scan a target by sending a specified maximum number of packets per second.

The maximum packet rate can be used to instruct NMAP to evade networks equipped with Intrusion Detection Systems [IDS] or systems configured with rate limiting solutions. However, this will dramatically slow down the scan [Figure 1.15].

TIP: to perform a sneaky scan, use a –max-rate 0.1 [send a packet every 10 seconds]

Defeat Reset Rate Limits 

Flag: –defeat-rst-rate limit

Syntax: nmap –defeat-rst-rate limit [Target] 

Description: Instructs NMAP to apply rate limiting to reset [RST] packages.

By default, NMAP can detect RST packet limiting targets and automatically adjust its parameters to avoid detection.

Setting up a value for the defeat reset rate limits in NMAP can speed up the scanning process but it may affect the scan output accuracy – one of the reasons why this method is rarely used. 

Figure 1.17: NMAP timing options for Defeat RST Rate Limits.

Before You Go

This was quite a lengthy tutorial and I am happy you managed to reach this point. The NMAP timing options are important to be understood to find the right speed to adapt your scan to evade detection. 

NMAP can be the ace in the sleeve for anyone willing to pursue a career in ethical hacking or cyber security. Here are a few articles to help you master NMAP:

If you found this NMAP tutorial useful, consider sharing it with your colleagues and friends.

Want to go one step further, consider supporting me on Patreon or simply send me some coins to the addresses below. Nothing like a small donation to keep me writing!

But most importantly, stay safe!

  • Bitcoin
  • Ethereum
  • Monero
Scan to Donate Bitcoin to bc1qytp4akadp5lash9pd6rvnrjlnm8920fza5zchc

Donate Bitcoin to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin

Scan to Donate Ethereum to 0xB8109313e704a2B0aB1a70d67baB66a2Fd3b590d

Donate Ethereum to this address

Scan the QR code or copy the address below into your wallet to send some Ethereum

Scan to Donate Monero to 47tC9drbgyaerFMu8s9XqsaAuY4K6rgC9UDM3yHhbyWP9pUNwdAH7kEMuDbFMEgiY3JgYgQipwZoWSLSZAsUvkkjQmHLj6r

Donate Monero to this address

Scan the QR code or copy the address below into your wallet to send some Monero