655
<para>Another host discovery option is the IPProto ping,
656
which sends IP packets with the specified protocol numbers
657
in the Protocol field of the IP headers. The protocol list
658
takes the same format as with the port lists in the
655
<para>The newest host discovery option is the IP protocol ping,
656
which sends IP packets with the specified protocol number
657
set in their IP header. The protocol list
658
takes the same format as do port lists in the
659
659
previously discussed TCP and UDP host discovery options. If
660
660
no protocols are specified, the default is to send multiple
661
661
IP packets for ICMP (protocol 1), IGMP (protocol 2), and
663
663
configured at compile-time by changing
664
664
DEFAULT_PROTO_PROBE_PORT_SPEC in <filename>nmap.h</filename>.
665
665
Note that for the ICMP, IGMP, TCP (protocol 6), and UDP
666
(protocol 17), the packets are sent with the additional
666
(protocol 17), the packets are sent with the proper protocol
667
667
headers while other protocols are sent with no additional data
668
668
beyond the IP header (unless the
669
669
<option>--data-length</option> option is specified).</para>
671
<para>This host discovery method looks for responses in the
672
same protocol as the probes, or ICMP Protocol Unreachable
673
messages which signify the specified IP protocol isn't
674
supported on the host (which gives away that it's up).</para>
671
<para>This host discovery method looks for either responses
672
using the same protocol as a probe, or ICMP protocol
673
unreachable messages which signify that the given protocol
674
isn't supported on the destination host. Either type of
675
response signifies that the target host is alive.</para>
2302
2303
</varlistentry>
2307
<option>--min-rate <number></option>
2308
(Specify a minimum scanning rate)
2309
<indexterm><primary>--min-rate</primary></indexterm>
2313
<para>Nmap's dynamic timing does a good job of finding an appropriate
2314
speed at which to scan. Sometimes, however, you may happen to know an
2315
appropriate scanning rate for a network, or you may have to guarantee
2316
that a scan will be finished by a certain time. When the
2317
<option>--min-rate</option> option is given Nmap will do its best to
2318
send packets as fast or faster than the given rate. The argument is a
2319
positive real number representing a packet rate in packets per second.
2320
For example, specifying <command>--min-rate 300</command> means that
2321
Nmap will try to keep the sending rate at or above 300 packets per
2322
second. Specifying a minimum rate does not keep Nmap from going faster
2323
if conditions warrant.</para>
2325
<para>There are two conditions when the actual scanning rate may fall
2326
below the specified minimum. The first is if the minimum is faster than
2327
the fastest rate at which Nmap can send, which is dependent on hardware.
2328
In this case Nmap will send packets as fast as possible, but be aware
2329
that such high rates are likely to cause a loss of accuracy. The second
2330
case is when Nmap has nothing to send, for example at the end of a scan
2331
when the last probes have been sent and Nmap is waiting for them to time
2332
out or be responded to. It's normal to see the scanning rate drop at the
2333
end of a scan or in between groups of hosts.</para>
2335
<para>Specifying a minimum rate should be done with care. Scanning
2336
faster than a network can support may lead to a loss of accuracy. In
2337
some cases, using a faster rate can make a scan take
2338
<emphasis>longer</emphasis> than it would with a slower rate. This is
2339
because Nmap's adaptive
2340
retransmission<indexterm><primary>adaptive retransmission</primary></indexterm>
2341
will detect the network congestion caused by an excessive scanning rate
2342
and increase the number of retransmissions in order to improve accuracy.
2343
So even though packets are sent at a higher rate, more packets are sent
2344
overall. Cap the number of retransmissions with the
2345
<option>--max-retries</option>
2346
option if you need to set an upper limit on total scan
2349
<para>The <option>--min-rate</option> option is global, affecting an
2350
entire scan, not individual hosts. It only affects port and host
2351
discovery scans. Other features like OS detection implement their own
2305
2358
<term><option>--defeat-rst-ratelimit</option>
2306
2359
<indexterm><primary>--defeat-rst-ratelimit</primary></indexterm></term>
2552
2605
ICMP, SYN, ACK, or whatever) and during the actual port
2553
2606
scanning phase. Decoys are also used during remote OS
2554
2607
detection (<option>-O</option>). Decoys do not work with
2555
version detection or TCP connect scan.</para>
2608
version detection or TCP connect scan. When a scan delay is
2609
in effect, the delay is enforced between each batch of
2610
spoofed probes, not between each individual probe. Because
2611
decoys are sent as a batch all at once, they may temporarily
2612
violate congestion control limits.</para>
2557
2614
<para>It is worth noting that using too many decoys may
2558
2615
slow your scan and potentially even make it less