Nmap Timing Options
It may not be the contents of the nmap scan that need to be modified, but the speed at which the scan operates. Sometimes a scan should run slowly and quietly, and other times the scan should run as quickly and loudly as possible. For all of these situations, nmap provides a plethora of timing options that can affect almost every aspect of the scan.
Unlike other nmap commands, the location of these timing options on the command line is very important. If two conflicting timing options are specified on the command line, the last option has the priority. Although this sounds restrictive, it actually provides more functional timing options. For example, a timing policy (-T) could be specified first, and a --scan_delay option might be included at the end of the same nmap command line. This unique combination would combine the predefined timing option functions with the "tweak" of an alternative minimum scanning delay.
Most of nmap's timing options are separated into four categories; round trip time, parallel host scanning, parallel port scanning, and delay. Each of these categories can be configured separately, or a predefined nmap timing policy can be used to specify multiple categories simultaneously.
The host timeout option (--host_timeout) doesn't fall into one of the four timing categories. The host timeout is the amount of time an nmap scan will wait before "giving up" on an IP address. When nmap begins the scan of a host, it starts a timer. If the timer reaches the --host_timeout value, the scan to that host will immediately halt. If additional hosts are included in the nmap scan options, the scan will continue with those devices.
This timeout value could be related to the speed of the link or the willingness of the remote station to respond in a timely manner. Regardless of the reason, the --host_timeout option provides the nmap user with a way to "hurry along" the entire scan process when it hits a single slow device.
The default value for --host_timeout is zero. This means that nmap will never abort a scan due to time, no matter how long it may be take to complete. The minimum host timeout amount can be 200 milliseconds, and the maximum can be around 4 billion milliseconds – about a month! Hopefully, most nmap scans won't need this long to complete a scan against a single host.
Setting this value to a relatively low number (30,000 milliseconds) could speed up the completion of a scan where many of the remote devices communicate across slow links or perform aggressive throttling of ICMP or network responses. If these slower devices need to be scanned, --host_timeout can be tweaked to a larger number until the devices are scanned successfully at the highest possible timeout value. If only the most responsive devices are to be scanned, this timeout value can be decreased in an effort to speed up the overall nmap scanning process.