Overview
Optimization options help you balance scan speed, accuracy, and reliability. These settings control retry behavior, timeouts, port verification, and host discovery.Retry Configuration
Number of retry attempts for port scanning.When a port doesn’t respond, scan4all will retry the specified number of times before marking it as closed or filtered.Default values by scan type:
- SYN scan: 3 retries
- CONNECT scan: 3 retries
Timeout Configuration
Milliseconds to wait for port responses before timing out.Controls how long to wait for a response from each port before considering it unresponsive.Default values by scan type:
- SYN scan: 1000ms (1 second)
- CONNECT scan: 3000ms (3 seconds)
Timing Between Phases
Seconds to wait between scan phases.scan4all performs scanning in phases (port discovery, service detection, vulnerability checks). This setting controls the pause between phases to allow the network and target system to settle.Range: 0-30 secondsExamples:
Port Verification
Validate discovered ports with TCP CONNECT verification.After the initial port scan, re-check all found ports using a full TCP connection to confirm they are truly open. This reduces false positives.Example:Impact:
- Increases scan time by 20-40%
- Reduces false positives
- Provides higher confidence in results
- Uses TCP CONNECT regardless of initial scan type
Host Discovery
Use ping (ICMP echo) probes for host discovery and validation.Performs ICMP ping before port scanning to:Benefits:
- Verify host is alive
- Measure network latency
- Identify fastest route
- Skip dead hosts
- Skips unresponsive hosts
- Optimizes scan order by latency
- Reduces wasted scan time
- Provides network reachability info
- Many hosts block ICMP
- Firewalls may filter pings
- Can cause false negatives
Some hosts don’t respond to ping but have open ports. Consider scanning without ping if you suspect ICMP is blocked.
Optimization Strategies
Maximum Speed (Less Reliable)
Balanced (Recommended)
Maximum Accuracy (Slower)
High-Latency Networks
Local Network (Fast & Reliable)
Network Type Recommendations
| Network Type | Timeout | Retries | Warm-up | Verify | Ping |
|---|---|---|---|---|---|
| Local LAN | 500ms | 2 | 1s | Yes | No |
| Internet (Good) | 1000ms | 3 | 2s | Optional | Yes |
| Internet (Poor) | 3000ms | 4 | 3s | Yes | Yes |
| Satellite/High-latency | 5000ms | 5 | 5s | Yes | Optional |
| Fast Reconnaissance | 500ms | 1 | 0s | No | No |
| Security Audit | 2000ms | 4 | 3s | Yes | Yes |
Tuning for Scan Scope
Small Target Set (1-10 hosts)
Medium Target Set (10-100 hosts)
Large Target Set (100+ hosts)
Performance Impact
Timeout Effects
- Lower timeout: Faster scans, more false negatives
- Higher timeout: Slower scans, fewer false negatives
- Impact: Linear with number of ports × hosts
Retry Effects
- Fewer retries: Faster scans, less reliable
- More retries: Slower scans, more reliable
- Impact: Multiplicative on failed probes only
Verification Effects
- Without verify: Faster, potential false positives
- With verify: 20-40% slower, high accuracy
- Impact: Only on discovered open ports
Troubleshooting
Missing Open Ports
Symptoms: Known open ports not detected Solutions:Scan Too Slow
Symptoms: Taking much longer than expected Solutions:False Positives
Symptoms: Ports reported as open but aren’t Solutions:Network Overload
Symptoms: Packet loss, incomplete results Solutions:Best Practices
- Start with defaults: Adjust only if needed
- Test on known hosts: Verify settings work correctly
- Match network conditions: Adjust timeouts for latency
- Use verification for accuracy: When false positives are unacceptable
- Balance speed vs accuracy: Faster isn’t always better
- Monitor with stats: Use
-statsto observe behavior - Document your settings: Keep notes on what works for different scenarios
Related Options
- Rate Limit Options - Control scan speed and concurrency
- Scan Options - Additional configuration like
-streammode - Debug Options - Monitor optimization effects with
-stats