diff --git a/CHANGELOG b/CHANGELOG
index 04b2356e5..4e74d1b1a 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,12 @@
 # Nmap Changelog ($Id$); -*-text-*-
 
+o [NSE] Added a "times" table to the host table passed to scripts.
+  This table contains Nmap's timing data (srtt, the smoothed round
+  trip time; rttvar, the rtt variance; and timeout), all represented
+  as floating-point seconds.  The ipidseq and qscan scripts were
+  updated to utilize the host's timeout value instead of the very
+  conservative guess of 3 seconds for read timeouts. [Kris]
+
 o [Nmap, Nping] Fixed the fragmentation options (-f in Nmap, --mtu in
   both) which broke in 5.35DC1. Instead of sending multiple fragments,
   the original packet was sent whole. In some circumstances, sending
diff --git a/docs/scripting.xml b/docs/scripting.xml
index 6499a6c03..cf30f990d 100644
--- a/docs/scripting.xml
+++ b/docs/scripting.xml
@@ -1425,6 +1425,19 @@ LUALIB_API int luaopen_openssl(lua_State *L) {
 		  </para>
 	    </listitem>
 	  </varlistentry>
+
+	  <varlistentry>
+	    <term><option>host.times</option>
+	      </term>
+	    <listitem>
+	      <para>This table contains Nmap's timing data for the host (see
+		<xref linkend="scan-methods-rtt"/>).  This includes "srtt" (smoothed
+		round trip time), "rttvar" (round trip time variance), and "timeout"
+		(the probe timeout), all given in floating-point seconds.
+		  </para>
+	    </listitem>
+	  </varlistentry>
+
 	  <varlistentry>
 	    <term><option>port</option>
 	      </term>
diff --git a/nse_nmaplib.cc b/nse_nmaplib.cc
index d1895d2ec..185875ec4 100644
--- a/nse_nmaplib.cc
+++ b/nse_nmaplib.cc
@@ -145,6 +145,12 @@ void set_hostinfo(lua_State *L, Target *currenths) {
     lua_setfield(L, -2, "bin_ip_src");
   }
 
+  lua_newtable(L);
+  setnfield(L, -1, "srtt", (lua_Number) currenths->to.srtt / 1000000.0);
+  setnfield(L, -1, "rttvar", (lua_Number) currenths->to.rttvar / 1000000.0);
+  setnfield(L, -1, "timeout", (lua_Number) currenths->to.timeout / 1000000.0);
+  lua_setfield(L, -2, "times");
+
   FingerPrintResults *FPR = currenths->FPR;
 
   /* if there has been an os scan which returned a pretty certain
diff --git a/scripts/ipidseq.nse b/scripts/ipidseq.nse
index 71b249646..01d262a12 100644
--- a/scripts/ipidseq.nse
+++ b/scripts/ipidseq.nse
@@ -224,7 +224,7 @@ action = function(host)
 
 	pcap:pcap_open(host.interface, 104, 0, callback, "tcp and dst host " .. saddr .. " and src host " .. daddr .. " and src port " .. port)
 
-	pcap:set_timeout(3000)
+	pcap:set_timeout(host.times.timeout * 1000)
 
 	local tcp = genericpkt(host, port)
 
diff --git a/scripts/qscan.nse b/scripts/qscan.nse
index a6c702d02..a248df9ff 100644
--- a/scripts/qscan.nse
+++ b/scripts/qscan.nse
@@ -382,7 +382,13 @@ action = function(host)
 
 	try = nmap.new_try(function() sock:ip_close() end)
 
-	pcap:set_timeout(3000)
+	-- Simply double the calculated host timeout to account for possible
+	-- extra time due to port forwarding or whathaveyou.  Nmap has all
+	-- ready scanned this host, so the timing should have taken into
+	-- account some of the RTT differences, but I think it really depends
+	-- on how many ports were scanned and how many were forwarded where.
+	-- Play it safer here.
+	pcap:set_timeout(2 * host.times.timeout * 1000)
 
 	local tcp = genericpkt(host)