Re: Timeout

[Fyodor <fyodor () dhp com>]

On Sat, 18 Sep 1999, Lance Spitzner wrote:

> why this happens.  However, it would be great to have
> a "-t" option where you can set in seconds  a time limit
> per IP.  Any suggestion or recommendations on how to
> approach this?

Oh, allright :).  Due to popular demand, I have added sophisticated timing
control to Nmap.  This allows you to set more aggressive timeouts (on a
per-machine or per-probe basis) for greater speed.  Or you can specify a
"polite" scan to reduce network load and lower the probability of crashing
systems.  You can even demand that Nmap go VERY slow so you can do a
several-day scan and stay below the radar of intrusion detection
systems.  You can choose one of 6 "canned" timing modes, or you can use
new command-line options to roll your own behavior.

That is the summary.  Here is the new man page section which gives more
complete details:

       TIMING OPTIONS
              Generally Nmap does a good  job  at  adjusting  for
              Network  characteristics at runtime and scanning as
              fast as possible while minimizing that  chances  of
              hosts/ports  going  undetected.  However, there are
              same cases where Nmap's default timing  policy  may
              not  meet  your  objectives.  The following options
              provide a fine level of control over the scan  tim-
              ing:

       -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane>
              These  are  canned timing policies for conveniently
              expressing your priorities to Nmap.  Paranoid  mode
              scans  very  slowly in the hopes of avoiding detec-
              tion by IDS systems.  It serializes all  scans  (no
              parallel  scanning)  and generally waits at least 5
              minutes between sending packets.  Sneaky  is  simi-
              lar,  except it only waits 15 seconds between send-
              ing packets.  Polite is meant to ease load  on  the
              network   and   reduce   the  chances  of  crashing
              machines.  It serializes the probes  and  waits  at
              least  0.4  seconds  between  them.   Normal is the
              default Nmap  behaviour,  which  tries  to  run  as
              quickly as possible without overloading the network
              or missing hosts/ports.  Aggressive mode adds  a  5
              minute  timeout  per  host  and it never waits more
              than 1.25 seconds for probe responses.   Insane  is
              only  suitable  for very fast networks or where you
              don't mind losing some information.  It  times  out
              hosts  in 75 seconds and only waits 0.3 seconds for
              individual probes.  It does allow  for  very  quick
              network  sweeps  though :).  You can also reference
              these by number (0-5).  For example, '-T  0'  gives
              you Paranoid mode and '-T 5' is Insane mode.

              These  canned  timing  modes  should NOT be used in
              combination with the  lower  level  controls  given
              below.

       --host_timeout <milliseconds>
              Specifies  the  amount  of  time Nmap is allowed to
              spend scanning a single host before  giving  up  on
              that IP.  The default timing mode has no host time-
              out.

       --max_rtt_timeout <milliseconds>
              Specifies  the  maximum  amount  of  time  Nmap  is
              allowed   to  wait  for  a  probe  response  before
              retransmitting or timing out that particular probe.
              The default mode sets this to about 9000.

       --initial_rtt_timeout <milliseconds>
              Specifies  the initial probe timeout.  This is gen-
              erally only useful when  scanning  firwalled  hosts
              with  -P0.  Normally Nmap can obtain good RTT esti-
              mates from the ping and the first few probes.   The
              default mode uses 6000.

       --max_parallelism <number>
              Specifies  the  maximum  number  of  scans  Nmap is
              allowed to perform in parallel.   Setting  this  to
              one  means  Nmap will never try to scan more than 1
              port at a time.  It  also  effects  other  parallel
              scans such as ping sweep, RPC scan, etc.

       --scan_delay <milliseconds>
              Specifies the minimum amount of time Nmap must wait
              between probes.  This is mostly  useful  to  reduce
              network  load or to slow the scan way down to sneak
              under IDS thresholds.


Adding all this new timing functionality required changes in many parts of
Nmap.  Please try it out and tell me if I broke anything :).  Also I would
be happy to hear suggestions for improving the timing interface or
problems with the way it works now.

I'll send release notes for the new beta in a few minutes.

Cheers,
Fyodor

--
Fyodor                            'finger pgp () pgp insecure org | pgp -fka'
Frustrated by firewalls?          Try nmap: http://www.insecure.org/nmap/
"Be thankful you are not my student.  You would not get a high grade for
 such a design :-) ... Writing a new OS only for the 386 in 1991 gets you
 your second 'F' for this term" 
 -- Minix author/professor Andrew Tanenbaum to Linus Torvalds (Jan '92)