diff options
author | Timothy Pearson <[email protected]> | 2013-07-24 11:29:03 -0500 |
---|---|---|
committer | Timothy Pearson <[email protected]> | 2013-07-24 11:29:03 -0500 |
commit | 066bae76e94c21604fe4132c4ca26e5b2f0c6375 (patch) | |
tree | 64cd6638d6f513ef8ddb094f9437467c0a810d86 /src/nmap_manpage.html.diff | |
download | knmap-066bae76e94c21604fe4132c4ca26e5b2f0c6375.tar.gz knmap-066bae76e94c21604fe4132c4ca26e5b2f0c6375.zip |
Initial import of knmap 2.1 sources
Diffstat (limited to 'src/nmap_manpage.html.diff')
-rw-r--r-- | src/nmap_manpage.html.diff | 557 |
1 files changed, 557 insertions, 0 deletions
diff --git a/src/nmap_manpage.html.diff b/src/nmap_manpage.html.diff new file mode 100644 index 0000000..bcdf5a6 --- /dev/null +++ b/src/nmap_manpage.html.diff @@ -0,0 +1,557 @@ +--- /usr/share/doc/nmap-3.93/nmap_manpage.html 2005-09-12 20:11:41.000000000 +0930 ++++ /home/c/knmap/src/nmap_manpage.html 2005-11-09 09:35:59.000000000 +0930 +@@ -78,7 +78,7 @@ + + <B>SCAN</B> <B>TYPES</B> + +- <B>-sS</B> TCP SYN scan: This technique is often referred to as "half-open" ++ <B id="-sS">-sS</B> TCP SYN scan: This technique is often referred to as "half-open" + scanning, because you don’t open a full TCP connection. You send + a SYN packet, as if you are going to open a real connection and + you wait for a response. A SYN|ACK indicates the port is listen- +@@ -89,7 +89,7 @@ + Unfortunately you need root privileges to build these custom SYN + packets. This is the default scan type for privileged users. + +- <B>-sT</B> TCP connect() scan: This is the most basic form of TCP scanning. ++ <B id="-sT">-sT</B> TCP connect() scan: This is the most basic form of TCP scanning. + The connect() system call provided by your operating system is + used to open a connection to every interesting port on the + machine. If the port is listening, connect() will succeed, oth- +@@ -102,7 +102,7 @@ + which accept() the connection just to have it immediately shut- + down. This is the default scan type for unprivileged users. + +- <B>-sF</B> <B>-sX</B> <B>-sN</B> ++ <B id="-sF">-sF</B> <B id="-sX">-sX</B> <B id="-sN">-sN</B> + Stealth FIN, Xmas Tree, or Null scan modes: There are times when + even SYN scanning isn’t clandestine enough. Some firewalls and + packet filters watch for SYNs to restricted ports, and programs +@@ -133,7 +133,7 @@ + HP/UX, MVS, and IRIX. All of the above send resets from the + open ports when they should just drop the packet. + +- <B>-sP</B> Ping scanning: Sometimes you only want to know which hosts on a ++ <B id="-sP">-sP</B> Ping scanning: Sometimes you only want to know which hosts on a + network are up. Nmap can do this by sending ICMP echo request + packets to every IP address on the networks you specify. Hosts + that respond are up. Unfortunately, some sites such as +@@ -151,7 +151,7 @@ + respond are scanned. Only use this option if you wish to ping + sweep <B>without</B> doing any actual port scans. + +- <B>-sV</B> Version detection: After TCP and/or UDP ports are discovered ++ <B id="-sV">-sV</B> Version detection: After TCP and/or UDP ports are discovered + using one of the other scan methods, version detection communi- + cates with those ports to try and determine more about what is + actually running. A file called nmap-service-probes is used to +@@ -177,7 +177,7 @@ + version scanning is doing (this is a subset of what you would + get with --packet_trace). + +- <B>-sU</B> UDP scans: This method is used to determine which UDP (User ++ <B id="-sU">-sU</B> UDP scans: This method is used to determine which UDP (User + Datagram Protocol, RFC 768) ports are open on a host. The tech- + nique is to send 0 byte UDP packets to each port on the target + machine. If we receive an ICMP port unreachable message, then +@@ -215,7 +215,7 @@ + <B>very</B> quickly. Whoop! + + +- <B>-sO</B> IP protocol scans: This method is used to determine which IP ++ <B id="-sO">-sO</B> IP protocol scans: This method is used to determine which IP + protocols are supported on a host. The technique is to send raw + IP packets without any further protocol header to each specified + protocol on the target machine. If we receive an ICMP protocol +@@ -229,7 +229,7 @@ + field has only 8 bits, so at most 256 protocols can be probed + which should be possible in reasonable time anyway. + +- <B>-sI</B> <B><zombie</B> <B>host[:probeport]></B> ++ <B id="-sI">-sI</B> <B><zombie</B> <B>host[:probeport]></B> + Idlescan: This advanced scan method allows for a truly blind TCP + port scan of the target (meaning no packets are sent to the tar- + get from your real IP address). Instead, a unique side-channel +@@ -257,7 +257,7 @@ + Otherwise Nmap will use the port it uses by default for "tcp + pings". + +- <B>-sA</B> ACK scan: This advanced method is usually used to map out fire- ++ <B id="-sA">-sA</B> ACK scan: This advanced method is usually used to map out fire- + wall rulesets. In particular, it can help determine whether a + firewall is stateful or just a simple packet filter that blocks + incoming SYN packets. +@@ -272,7 +272,7 @@ + RSTs). This scan will obviously never show ports in the "open" + state. + +- <B>-sW</B> Window scan: This advanced scan is very similar to the ACK scan, ++ <B id="-sW">-sW</B> Window scan: This advanced scan is very similar to the ACK scan, + except that it can sometimes detect open ports as well as fil- + tered/unfiltered due to an anomaly in the TCP window size + reporting by some operating systems. Systems vulnerable to this +@@ -282,7 +282,7 @@ + 4.X, Ultrix, VAX, and VxWorks. See the nmap-hackers mailing + list archive for a full list. + +- <B>-sR</B> RPC scan. This method works in combination with the various ++ <B id="-sR">-sR</B> RPC scan. This method works in combination with the various + port scan methods of Nmap. It takes all the TCP/UDP ports found + open and then floods them with SunRPC program NULL commands in + an attempt to determine whether they are RPC ports, and if so, +@@ -294,11 +294,11 @@ + matically enabled as part of version scan (-sV) if you request + that. + +- <B>-sL</B> List scan. This method simply generates and prints a list of IP ++ <B id="-sL">-sL</B> List scan. This method simply generates and prints a list of IP + addresses or hostnames without actually pinging or port scanning + them. DNS name resolution will be performed unless you use -n. + +- <B>-b</B> <B><ftp</B> <B>relay</B> <B>host></B> ++ <B id="-b">-b</B> <B><ftp</B> <B>relay</B> <B>host></B> + FTP bounce attack: An interesting "feature" of the ftp protocol + (RFC 959) is support for "proxy" ftp connections. In other + words, I should be able to connect from evil.com to the FTP +@@ -332,7 +332,7 @@ + odds of penetrating strict firewalls by sending many probe types + using different TCP ports/flags and ICMP codes. + +- <B>-P0</B> Do not try to ping hosts at all before scanning them. This ++ <B id="-P0">-P0</B> Do not try to ping hosts at all before scanning them. This + allows the scanning of networks that don’t allow ICMP echo + requests (or responses) through their firewall. microsoft.com + is an example of such a network, and thus you should always use +@@ -342,7 +342,7 @@ + trary combinations of TCP, UDP, and ICMP probes. By default, + Nmap sends an ICMP echo request and a TCP ACK packet to port 80. + +- <B>-PA</B> <B>[portlist]</B> ++ <B id="-PA">-PA</B> <B>[portlist]</B> + Use TCP ACK "ping" to determine what hosts are up. Instead of + sending ICMP echo request packets and waiting for a response, we + spew out TCP ACK packets throughout the target network (or to a +@@ -356,13 +356,13 @@ + 80, since this port is often not filtered out. Note that this + option now accepts multiple, comma-separated port numbers. + +- <B>-PS</B> <B>[portlist]</B> ++ <B id="-PS">-PS</B> <B>[portlist]</B> + This option uses SYN (connection request) packets instead of ACK + packets for root users. Hosts that are up should respond with a + RST (or, rarely, a SYN|ACK). You can set the destination ports + in the same manner as -PA above. + +- <B>-PR</B> This option specifies a raw ethernet ARP ping. It cannot be ++ <B id="-PR">-PR</B> This option specifies a raw ethernet ARP ping. It cannot be + used in combination with any of the other ping types. When the + target machines are on the same network you are scanning from, + this is the fastest and most reliable (because it goes below IP- +@@ -374,7 +374,7 @@ + UDP services won’t reply to an empty packet, your best bet might + be to send this to expected-closed ports rather than open ones. + +- <B>-PE</B> This option uses a true ping (ICMP echo request) packet. It ++ <B id="-PE">-PE</B> This option uses a true ping (ICMP echo request) packet. It + finds hosts that are up and also looks for subnet-directed + broadcast addresses on your network. These are IP addresses + which are externally reachable and translate to a broadcast of +@@ -382,10 +382,10 @@ + eliminated if found as they allow for numerous denial of service + attacks (Smurf is the most common). + +- <B>-PP</B> Uses an ICMP timestamp request (type 13) packet to find listen- ++ <B id="-PP">-PP</B> Uses an ICMP timestamp request (type 13) packet to find listen- + ing hosts. + +- <B>-PM</B> Same as <B>-PE</B> and <B>-PP</B> except uses a netmask request (ICMP type ++ <B id="-PM">-PM</B> Same as <B>-PE</B> and <B>-PP</B> except uses a netmask request (ICMP type + 17). + + <B>-PB</B> This is the default ping type. It uses both the ACK ( <B>-PA</B> ) and +@@ -397,7 +397,7 @@ + "PA" (or rely on the default behavior) to achieve this same + effect. + +- <B>-O</B> This option activates remote host identification via TCP/IP fin- ++ <B id="-O">-O</B> This option activates remote host identification via TCP/IP fin- + gerprinting. In other words, it uses a bunch of techniques to + detect subtleties in the underlying operating system network + stack of the computers you are scanning. It uses this informa- +@@ -436,7 +436,7 @@ + for each packet they send. This makes them vulnerable to sev- + eral advanced information gathering and spoofing attacks. + +- <B>--osscan_limit</B> ++ <B id="--osscan_limit">--osscan_limit</B> + OS detection is far more effective if at least one open and one + closed TCP port are found. Set this option and Nmap will not + even try OS detection against hosts that do not meet this crite- +@@ -444,7 +444,7 @@ + against many hosts. It only matters when OS detection is + requested (-O or -A options). + +- <B>-A</B> This option enables _a_dditional _a_dvanced and _a_ggressive ++ <B id="-A">-A</B> This option enables _a_dditional _a_dvanced and _a_ggressive + options. I haven’t decided exactly which it stands for yet :). + Presently this enables OS Detection (-O) and version scanning + (-sV). More features may be added in the future. The point is +@@ -453,7 +453,7 @@ + enables features, and not timing options (such as -T4) or ver- + bosity options (-v) that you might wan’t as well. + +- <B>-6</B> This options enables IPv6 support. All targets must be IPv6 if ++ <B id="-6">-6</B> This options enables IPv6 support. All targets must be IPv6 if + this option is used, and they can be specified via normal DNS + name (AAAA record) or as a literal IP address such as + 3ffe:501:4819:2000:210:f3ff:fe03:4d0 . Currently, connect() TCP +@@ -461,7 +461,7 @@ + or other scan types, have a look at http://nmap6.source- + forge.net/ . + +- <B>--send_eth</B> ++ <B id="--send_eth">--send_eth</B> + Asks Nmap to send packets at the raw ethernet (data link) layer + rather than the higher IP (network) layer. By default, Nmap + chooses the one which is generally best for the platform it is +@@ -471,12 +471,12 @@ + port. Nmap still uses raw IP packets when there is no other + choice (such as non-ethernet connections). + +- <B>--send_ip</B> ++ <B id="--send_ip">--send_ip</B> + Asks Nmap to send packets via raw IP sockets rather than sending + lower level ethernet frames. It is the complement to the + --send-eth option.discussed previously. + +- <B>--spoof_mac</B> <B>[mac,</B> <B>prefix,</B> <B>or</B> <B>vendor</B> <B>substring]</B> ++ <B id="--spoof_mac">--spoof_mac</B> <B>[mac,</B> <B>prefix,</B> <B>or</B> <B>vendor</B> <B>substring]</B> + Ask Nmap to use the given MAC address for all of the raw ether- + net frames it sends. The MAC given can take several formats. + If it is simply the string "0", Nmap chooses a completely random +@@ -492,7 +492,7 @@ + are "Apple", "0", "01:02:03:04:05:06", "deadbeefcafe", "0020F2", + and "Cisco". + +- <B>-f</B> This option causes the requested scan (including ping scans) to ++ <B id="-f">-f</B> This option causes the requested scan (including ping scans) to + use tiny fragmented IP packets. The idea is to split up the TCP + header over several packets to make it harder for packet fil- + ters, intrusion detection systems, and other annoyances to +@@ -521,7 +521,7 @@ + It works fine for my Linux, FreeBSD, and OpenBSD boxes and some + people have reported success with other *NIX variants. + +- <B>-v</B> Verbose mode. This is a highly recommended option and it gives ++ <B id="-v">-v</B> Verbose mode. This is a highly recommended option and it gives + out more information about what is going on. You can use it + twice for greater effect. You can also use <B>-d</B> a few times if + you really want to get crazy with scrolling the screen! +@@ -530,11 +530,11 @@ + options. As you may have noticed, this man page is not exactly + a "quick reference" :) + +- <B>-oN</B> <B><logfilename></B> ++ <B id="-oN">-oN</B> <B><logfilename></B> + This logs the results of your scans in a normal <B>human</B> <B>readable</B> + form into the file you specify as an argument. + +- <B>-oX</B> <B><logfilename></B> ++ <B id="-oX">-oX</B> <B><logfilename></B> + This logs the results of your scans in <B>XML</B> form into the file + you specify as an argument. This allows programs to easily cap- + ture and interpret Nmap results. You can give the argument "-" +@@ -546,7 +546,7 @@ + the XML output structure is available at http://www.inse- + cure.org/nmap/data/nmap.dtd . + +- <B>--stylesheet</B> <B><filename></B> ++ <B id="--stylesheet">--stylesheet</B> <B><filename></B> + Nmap ships with an XSL stylesheet named nmap.xsl for viewing or + translating XML output to HTML. The XML output includes an xml- + stylesheet directive which points to nmap.xml where it was ini- +@@ -563,12 +563,12 @@ + URL is often more useful, but the local filesystem locaton of + nmap.xsl is used by default for privacy reasons. + +- <B>--no_stylesheet</B> ++ <B id="--no_stylesheet">--no_stylesheet</B> + Specify this option to prevent Nmap from associating any XSL + stylesheet with its XML output. The xml-stylesheet directive is + omitted. + +- <B>-oG</B> <B><logfilename></B> ++ <B id="-oG">-oG</B> <B><logfilename></B> + This logs the results of your scans in a <B>grepable</B> form into the + file you specify as an argument. This simple format provides + all the information on one line (so you can easily grep for port +@@ -582,17 +582,17 @@ + will still go to stderr). Also note that "-v" will cause some + extra information to be printed. + +- <B>-oA</B> <B><basefilename></B> ++ <B id="-oA">-oA</B> <B><basefilename></B> + This tells Nmap to log in ALL the major formats (normal, + grepable, and XML). You give a base for the filename, and the + output files will be base.nmap, base.gnmap, and base.xml. + +- <B>-oS</B> <B><logfilename></B> ++ <B id="-oS">-oS</B> <B><logfilename></B> + thIs l0gz th3 r3suLtS of YouR ScanZ iN a <B>s|<ipT</B> <B>kiDd|3</B> f0rM iNto + THe fiL3 U sPecfy 4s an arGuMEnT! U kAn gIv3 the 4rgument "-" + (wItHOUt qUOteZ) to sh00t output iNT0 stDouT!@!! + +- <B>--resume</B> <B><logfilename></B> ++ <B id="--resume">--resume</B> <B><logfilename></B> + A network scan that is canceled due to control-C, network out- + age, etc. can be resumed using this option. The logfilename + must be either a normal (-oN) or grepable (-oG) log from the +@@ -600,7 +600,7 @@ + same as the aborted scan). Nmap will start on the machine after + the last one successfully scanned in the log file. + +- <B>--exclude</B> <B><host1</B> <B>[,host2][,host3],..."></B> ++ <B id="--exclude">--exclude</B> <B><host1</B> <B>[,host2][,host3],..."></B> + Specifies a list of targets (hosts, ranges, netblocks) that + should be excluded from a scan. Useful to keep from scanning + yourself, your ISP, particularly sensitive hosts, etc. +@@ -610,16 +610,16 @@ + targets are provided in an newline-delimited exclude_file rather + than on the command line. + +- <B>--allports</B> ++ <B id="--allports">--allports</B> + Causes version detection (-sV) to scan all open ports found, + including those excluded as dangerous (likely to cause crashes + or other problems) in nmap-service-probes. + +- <B>--append_output</B> ++ <B id="--append_output">--append_output</B> + Tells Nmap to append scan results to any output files you have + specified rather than overwriting those files. + +- <B>-iL</B> <B><inputfilename></B> ++ <B id="-iL">-iL</B> <B><inputfilename></B> + Reads target specifications from the file specified RATHER than + from the command line. The file should contain a list of host + or network expressions separated by spaces, tabs, or newlines. +@@ -628,7 +628,7 @@ + section <I>target</I> <I>specification</I> for more information on the expres- + sions you fill the file with. + +- <B>-iR</B> <B><num</B> <B>hosts></B> ++ <B id="-iR">-iR</B> <B><num</B> <B>hosts></B> + This option tells Nmap to generate its own hosts to scan by sim- + ply picking random numbers :). It will never end after the + given number of IPs has been scanned -- use 0 for a never-ending +@@ -637,7 +637,7 @@ + bored, try <I>nmap</I> <I>-sS</I> <I>-PS80</I> <I>-iR</I> <I>0</I> <I>-p</I> <I>80</I> to find some web servers + to look at. + +- <B>-p</B> <B><port</B> <B>ranges></B> ++ <B id="-p">-p</B> <B><port</B> <B>ranges></B> + This option specifies what ports you want to specify. For exam- + ple "-p 23" will only try port 23 of the target host(s). "-p + 20-30,139,60000-" scans ports between 20 and 30, port 139, and +@@ -656,13 +656,13 @@ + tocol qualifier is given, the port numbers are added to all pro- + tocol lists. + +- <B>-F</B> <B>Fast</B> <B>scan</B> <B>mode.</B> ++ <B id="-F">-F</B> <B>Fast</B> <B>scan</B> <B>mode.</B> + Specifies that you only wish to scan for ports listed in the + services file which comes with nmap (or the protocols file for + -sO). This is obviously much faster than scanning all 65535 + ports on a host. + +- <B>-D</B> <B><decoy1</B> <B>[,decoy2][,ME],...></B> ++ <B id="-D">-D</B> <B><decoy1</B> <B>[,decoy2][,ME],...></B> + Causes a decoy scan to be performed which makes it appear to the + remote host that the host(s) you specify as decoys are scanning + the target network too. Thus their IDS might report 5-10 port +@@ -708,7 +708,7 @@ + will filter out your spoofed packets, although many (currently + most) do not restrict spoofed IP packets at all. + +- <B>-S</B> <B><IP_Address></B> ++ <B id="-S">-S</B> <B><IP_Address></B> + In some circumstances, <I>nmap</I> may not be able to determine your + source address ( <I>nmap</I> will tell you if this is the case). In + this situation, use -S with your IP address (of the interface +@@ -723,11 +723,11 @@ + ning them. <B>-e</B> would generally be required for this sort of + usage. + +- <B>-e</B> <B><interface></B> ++ <B id="-e">-e</B> <B><interface></B> + Tells nmap what interface to send and receive packets on. Nmap + should be able to detect this but it will tell you if it cannot. + +- <B>--source_port</B> <B><portnumber></B> ++ <B id="-g">--source_port</B> <B><portnumber></B> + Sets the source port number used in scans. Many naive firewall + and packet filter installations make an exception in their rule- + set to allow DNS (53) or FTP-DATA (20) packets to come through +@@ -746,7 +746,7 @@ + for using this option, because I sometimes store useful informa- + tion in the source port number. + +- <B>--data_length</B> <B><number></B> ++ <B id="--data_length">--data_length</B> <B><number></B> + Normally Nmap sends minimalistic packets that only contain a + header. So its TCP packets are generally 40 bytes and ICMP echo + requests are just 28. This option tells Nmap to append the +@@ -755,22 +755,22 @@ + portscan packets are. This slows things down, but can be + slightly less conspicuous. + +- <B>-n</B> Tells Nmap to <B>NEVER</B> do reverse DNS resolution on the active IP ++ <B id="-n">-n</B> Tells Nmap to <B>NEVER</B> do reverse DNS resolution on the active IP + addresses it finds. Since DNS is often slow, this can help + speed things up. + +- <B>-R</B> Tells Nmap to <B>ALWAYS</B> do reverse DNS resolution on the target IP ++ <B id="-R">-R</B> Tells Nmap to <B>ALWAYS</B> do reverse DNS resolution on the target IP + addresses. Normally this is only done when a machine is found + to be alive. + +- <B>-r</B> Tells Nmap <B>NOT</B> to randomize the order in which ports are ++ <B id="-r">-r</B> Tells Nmap <B>NOT</B> to randomize the order in which ports are + scanned. + +- <B>--ttl</B> <B><value></B> ++ <B id="-ttl">--ttl</B> <B><value></B> + Sets the IPv4 time to live field in sent packets to the given + value. + +- <B>--privileged</B> ++ <B id="--privileged">--privileged</B> + Tells Nmap to simply assume that it is privileged enough to per- + form raw socket sends, packet sniffing, and similar operations + that usually require root privileges on UNIX systems. By +@@ -792,25 +792,25 @@ + activate this mode and then type usually more familiar and fea- + ture-complete. + +- <B>--randomize_hosts</B> ++ <B id="--randomize_hosts">--randomize_hosts</B> + Tells Nmap to shuffle each group of up to 2048 hosts before it + scans them. This can make the scans less obvious to various + network monitoring systems, especially when you combine it with + slow timing options (see below). + +- <B>-M</B> <B><max</B> <B>sockets></B> ++ <B id="-M">-M</B> <B><max</B> <B>sockets></B> + Sets the maximum number of sockets that will be used in parallel + for a TCP connect() scan (the default). This is useful to slow + down the scan a little bit and avoid crashing remote machines. + Another approach is to use -sS, which is generally easier for + machines to handle. + +- <B>--packet_trace</B> ++ <B id="--packet_trace">--packet_trace</B> + Tells Nmap to show all the packets it sends and receives in a + tcpdump-like format. This can be tremendously useful for debug- + ging, and is also a good learning tool. + +- <B>--datadir</B> <B>[directoryname]</B> ++ <B id="--datadir">--datadir</B> <B>[directoryname]</B> + Nmap obtains some special data at runtime in files named nmap- + service-probes, nmap-services, nmap-protocols, nmap-rpc, nmap- + mac-prefixes, and nmap-os-fingerprints. Nmap first searches +@@ -830,7 +830,7 @@ + meet your objectives. The following options provide a fine + level of control over the scan timing: + +- <B>-T</B> <B><Paranoid|Sneaky|Polite|Normal|Aggressive|Insane></B> ++ <B id="-T">-T</B> <B><Paranoid|Sneaky|Polite|Normal|Aggressive|Insane></B> + These are canned timing policies for conveniently expressing + your priorities to Nmap. <B>Paranoid</B> mode scans <B>very</B> slowly in the + hopes of avoiding detection by IDS systems. It serializes all +@@ -859,17 +859,17 @@ + line. Otherwise the defaults for the selected timing mode will + override your choices. + +- <B>--host_timeout</B> <B><milliseconds></B> ++ <B id="--host_timeout">--host_timeout</B> <B><milliseconds></B> + Specifies the amount of time Nmap is allowed to spend scanning a + single host before giving up on that IP. The default timing + mode has no host timeout. + +- <B>--max_rtt_timeout</B> <B><milliseconds></B> ++ <B id="--max_rtt_timeout">--max_rtt_timeout</B> <B><milliseconds></B> + Specifies the maximum amount of time Nmap is allowed to wait for + a probe response before retransmitting or timing out that par- + ticular probe. The default mode sets this to about 9000. + +- <B>--min_rtt_timeout</B> <B><milliseconds></B> ++ <B id="--min_rtt_timeout">--min_rtt_timeout</B> <B><milliseconds></B> + When the target hosts start to establish a pattern of responding + very quickly, Nmap will shrink the amount of time given per + probe. This speeds up the scan, but can lead to missed packets +@@ -877,13 +877,13 @@ + you can guarantee that Nmap will wait at least the given amount + of time before giving up on a probe. + +- <B>--initial_rtt_timeout</B> <B><milliseconds></B> ++ <B id="--initial_rtt_timeout">--initial_rtt_timeout</B> <B><milliseconds></B> + Specifies the initial probe timeout. This is generally only + useful when scanning firewalled hosts with -P0. Normally Nmap + can obtain good RTT estimates from the ping and the first few + probes. The default mode uses 6000. + +- <B>--max_hostgroup</B> <B><numhosts></B> ++ <B id="--max_hostgroup">--max_hostgroup</B> <B><numhosts></B> + Specifies the maximum number of hosts that Nmap is allowed to + scan in parallel. Most of the port scan techniques support + multi-host operation, which makes them much quicker. Spreading +@@ -894,7 +894,7 @@ + at a time) Nmap behavior. Note that the ping scanner handles + its own grouping, and ignores this value. + +- <B>--min_hostgroup</B> <B><numhosts></B> ++ <B id="--min_hostgroup">--min_hostgroup</B> <B><numhosts></B> + Specifies the minimum host group size (see previous entry). + Large values (such as 50) are often beneficial for unattended + scans, though they do take up more memory. Nmap may override +@@ -902,19 +902,19 @@ + the same network interface, and some scan types can only handle + one host at a time. + +- <B>--max_parallelism</B> <B><number></B> ++ <B id="--max_parallelism">--max_parallelism</B> <B><number></B> + Specifies the maximum number of scans Nmap is allowed to perform + in parallel. Setting this to one means Nmap will never try to + scan more than 1 port at a time. It also effects other parallel + scans such as ping sweep, RPC scan, etc. + +- <B>--min_parallelism</B> <B><number></B> ++ <B id="--min_parallelism">--min_parallelism</B> <B><number></B> + Tells Nmap to scan at least the given number of ports in paral- + lel. This can speed up scans against certain firewalled hosts + by an order of magnitude. But be careful -- results will become + unreliable if you push it too far. + +- <B>--scan_delay</B> <B><milliseconds></B> ++ <B id="--scan_delay">--scan_delay</B> <B><milliseconds></B> + Specifies the <B>minimum</B> amount of time Nmap must wait between + probes. This is mostly useful to reduce network load or to slow + the scan way down to sneak under IDS thresholds. Nmap will +@@ -924,7 +924,7 @@ + So Nmap will try to detect this and lower its rate of UDP probes + to one per second. + +- <B>--max_scan_delay</B> <B><milliseconds></B> ++ <B id="--max_scan_delay">--max_scan_delay</B> <B><milliseconds></B> + As noted above, Nmap will sometimes enforce a special delay + between sending packets. This can provide more accurate results + while reducing network congestion, but it can slow the scans +@@ -938,7 +938,7 @@ + + + </PRE> +-<H2>TARGET SPECIFICATION</H2><PRE> ++<H2 id="target">TARGET SPECIFICATION</H2><PRE> + Everything that isn’t an option (or option argument) in nmap is treated + as a target host specification. The simplest case is listing single + hostnames or IP addresses on the command line. If you want to scan a |