Timing Policies (--timing, -T<0|1|2|3|4|5>)
If nmap's ten different timing options are too much to handle, then the built-in timing policies (--timing) may be a good alternative. Timing policies are pre-built groups of timing options that range from the nearly invisible "paranoid" option to the overly-aggressive "insane" category.


Timing policies are specified as Paranoid, Sneaky, Polite, Normal, Aggressive, and Insane. These categories can also be referenced as numbers, where Paranoid has a value of zero and Insane has a value of five. Therefore, the nmap command
# nmap 192.168.0.1 –T0
is the same as
# nmap 192.168.0.1 --timing paranoid
The details of the timing options are shown in this chart. The policies only depart slightly from the defaults, but the departures at the upper and lower ends of the spectrum are significant:

timing_policies

clock
As this chart shows, the Paranoid option's minimum --scan_delay is set to an amazingly slow 5 minutes, and the Insane option's --max_scan_delay is set to 5 milliseconds! Clearly, there are massive differences between the top end of the scale and the bottom end.


If an unknown timing policy is specified, nmap provides this error before halting:
Unknown timing mode (-T argment).  Use either "Paranoid",
"Sneaky", "Polite", "Normal", "Aggressive", "Insane" or 
a number from 0 (Paranoid) to 5 (Insane)
Although the Paranoid category scan provides very accurate information, it takes a very long time to process a single -T0 scan. Conversely, an Insane scan provides lightning fast results, but the results can be inaccurate if the end station does not respond within the tight timeframes required by the –T5 category.

These timing categories provide a method of customizing scans based on a standard starting point. Since nmap's timing options are based on their position on the command line, a timing policy can be selected at the beginning of the nmap command line and other individual timing options can be specified afterwards. This would create a customized combination of nmap timings without requiring the specification of every possible timing option on the command line.

These timing policies are useful for testing intrusion detection systems (IDS) and intrusion prevention systems (IPS). Each timing policy can be run against an IDS or IPS to see if an alarm event or packet filtering function occurs. Additional IDS and IPS thresholds can then be configured based on these triggered values.