Limiting Packet Transmission Rates (`--min-rate`, `--max-rate`) with Nmap

Learn how to control packet transmission rates with Nmap using the –min-rate and –max-rate options.
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  4 minute read  

Introduction

Nmap (Network Mapper) is one of the most powerful tools for network scanning and security auditing. While it is commonly used for mapping networks and detecting open ports, users often need to control the rate at which packets are transmitted. This is particularly important in scenarios where:

  • You want to speed up a scan by ensuring a minimum packet transmission rate.
  • You need to limit the rate to avoid overwhelming a target network.
  • You want to bypass Intrusion Detection Systems (IDS) or firewalls that detect high-speed scans.
  • You are scanning across unreliable network conditions where too fast of a rate could cause packet loss.

To control packet transmission rates, Nmap provides the --min-rate and --max-rate options, allowing fine-grained control over the scanning speed.

Understanding --min-rate and --max-rate

The --min-rate and --max-rate options define the lower and upper limits of packet transmission rates in packets per second (pps). These options help users tailor scans based on their needs.

  • --min-rate <number>: Ensures that Nmap sends at least <number> packets per second.
  • --max-rate <number>: Ensures that Nmap does not exceed <number> packets per second.

By default, Nmap dynamically adjusts scan speed based on network conditions. However, these options provide users with greater control.

Use Cases for Limiting Packet Transmission Rates

1. Avoiding IDS/IPS Detection

Many Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) detect rapid scanning attempts and block the scanner’s IP address. Using --max-rate to limit scan speed can help avoid detection.

Example:

nmap -p 22,80,443 --max-rate 50 192.168.1.1

This command ensures that no more than 50 packets per second are sent to the target, reducing the likelihood of detection by IDS/IPS.

2. Preventing Network Congestion

Scanning at high rates can overwhelm a network, leading to dropped packets or degraded performance. Using --max-rate, you can ensure that Nmap does not exceed a safe rate.

Example:

nmap -p 1-65535 --max-rate 100 10.0.0.0/24

This command ensures the scan does not exceed 100 packets per second across the entire subnet.

3. Speeding Up Scans in High-Performance Networks

If you are scanning in a controlled environment (such as a lab) or on a high-bandwidth network, you might want to force Nmap to scan faster than it would normally adjust.

Example:

nmap -p 80,443 --min-rate 1000 192.168.1.1

This forces Nmap to send at least 1000 packets per second, ensuring a high-speed scan.

4. Handling Slow or Unreliable Networks

On unstable networks (e.g., Wi-Fi, satellite links), excessive scan speeds may lead to packet loss. Using --max-rate, you can limit the packet transmission rate to ensure more reliable scanning.

Example:

nmap -p 22,80,443 --max-rate 10 192.168.1.1

This scan will send no more than 10 packets per second, reducing the risk of packet loss.

Combining --min-rate and --max-rate

In some cases, it makes sense to use both options together to enforce strict rate control.

Example:

nmap -p 1-1000 --min-rate 50 --max-rate 200 192.168.1.1

This command ensures at least 50 packets per second are sent, but not more than 200 per second.

Measuring Scan Performance

To verify the actual scanning speed, use the -v (verbose) or --stats-every options.

Example:

nmap -p 80 --max-rate 100 --stats-every 2s 192.168.1.1

This reports scan statistics every 2 seconds, allowing you to monitor the effective transmission rate.

Considerations When Using Rate Limits

Network and Hardware Limitations

Even if you set a high --min-rate, Nmap might not be able to achieve it due to factors such as:

  • Bandwidth constraints
  • Router/firewall rate limiting
  • CPU performance on the scanning machine
  • Always obtain permission before scanning networks you do not own or manage.
  • Excessive scanning rates can be interpreted as hostile behavior.
  • Some ISPs and corporate networks may block your IP for aggressive scanning.

Interaction with Nmap Timing Templates (-T")

The -T timing options (ranging from -T0 to -T5) also control scan speed. If both --min-rate/--max-rate and a -T option are used, Nmap will try to balance them.

Conclusion

Controlling packet transmission rates with --min-rate and --max-rate allows for fine-tuned Nmap scans. Whether you are looking to speed up scans, avoid detection, or minimize network impact, these options provide crucial flexibility.

Understanding how to properly limit packet rates will improve your ability to conduct efficient and stealthy network reconnaissance while maintaining ethical scanning practices.


< Adjusting Parallelism with NmapNmap Normal Output >