User Tools

Site Tools


If you want to send us your comments, please do so. Thanks
More on comments


Based on nmap 6.00 The reference guide can be found at the nmap reference guide page

GeoIP databases

Used Options



to see a list with the most common options. For the up to date list of the latest nmap version see the nmap.usage.txt file
More information can be found in the manpage

man nmap

Runtime options

dIncrease debugging levelHandy during portscan to see which ports are being scanned
DDecrease debugging level
vIncrease verbosity
VDecrease verbosity
pTurn on packet tracing
PTurn off packet tracing
?Print out a status messageValid for any other key. ? is just an example (and meaning every single character)
-dxDebugging / verbosity levelx 0-9. If -v (verbose) is not enough. The higher the number the more output
-AAggressive scan optionsPresently this enables OS detection (-O), version scanning (-sV), script scanning (-sC) and traceroute (--traceroute).. More features may be added in the future
-nNo DNS resolution
-OEnable OS detection
-O -vNow it gets visible if a forged TCP connection attack is possible
-pOnly scan specified ports / port rangesExamples: -p 1,2,3,4,5 -p 0-65535
-PnNo pingSkips host up discovery. Scans with the requested scanning functions against every target IP address specified
-PYSCTP INIT PingSCTP: Stream Control Transmission Protocol. There can be no space between -PY and the port list. Example: -PY22,80,179,5060
-sFFIN scan. Sets just the TCP FIN bitTo close a TCP connection the FIN and ACK bits have to be set
-sLLists each host on the network(s)
-snNo port scanList the hosts that respond to the scan
-sNNull scanDoes not set any bits (TCP flag header is 0)
-sOIP protocol scanDetermine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines. It cycles through IP protocol numbers rather than TCP or UDP port numbers
-sSTCP SYN scanPerforms quick scanning of thousands of ports per second on a fast network not hampered by restrictive firewalls
-sTTCP connect scanThe default TCP scan type when SYN scan is not an option
-T4Set a timing template, the scan agressiveness. -T[0-5]Or with words -T paranoid (= -T0), sneaky (= -T1), polite (= -T2), normal (= -T3), aggressive (= -T4), insane (= -T5)
--tracerouteTracerouteCan omit some hosts compared to the traceroute command (which can omit hosts after a certain point)
--scan-delay 2Take action every 2 seconds
--stats-every 2Show an update on the progress every 2 secondsHitting the spacebar also gives an progress update

Command examples

Output example

Nmap scan report for
Host is up (0.0072s latency).
Not shown: 997 closed ports
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http
MAC Address: TheMACaddress (The name of the manufacturer of the equipment. If not available: Unknown)

nmap IP adress is not clear to us which implicit options are used
nmap the given IP addresses
nmap the[0-2] IP addresses. This is the same as the previous example
nmap the 192.168.1.[0-255] network
nmap -A -T4
nmap -A -T4
nmap -n -p 1080
nmap -n -p1-65535
nmap -n -Pn -p 22
nmap -O
nmap -v -PE scan with extra information about fonund hosts
nmap -PY
nmap -PY22,23
nmap -sF -p 22 -O
nmap -sF -p22 -O
nmap -sL
nmap -sL
nmap -sL -O
nmap -sL -p 22
nmap -sL -sN -O
nmap -sn
nmap -sN
nmap -sn
nmap -sN
nmap -sn -O
nmap -sn -O -p 22
nmap -sn -v grep -v down
nmap -v -sn | grep -v "host down" | grep "scan report"Shows al list of hosts that are probably up
nmap -sO -p22
nmap -sO -p22 -O
nmap -sO -v
nmap -sS
nmap -sS
nmap -sS
nmap -sS -O
nmap -sS -O -v
nmap -sS -p 1-65535
nmap -sS -v
nmap -sT -Pn
nmap -sT -Pn -O
nmap -v --stats-every 10s -Pn -sT -p 0-65535 all ports on IP address and show the status of the scan every 10 seconds
nmap -v –stats-every 30s -sS -p 0-65535 all ports on IP address and show the status of the scan every 10 seconds
nmap --scan-delay 0.5 -vv --stats-every 10s -Pn -sT -p 15000-65535 every 0,5 seconds, very verbose, stats every 10 seconds, skip host discovery, TCP connect scan (use -sS if posible) Scan given ports on given IPnumber
nmap -sL -vv --stats-every 1s out which hosts are on the networkThis is fast
nmap -v -PR -sn grep -v “host down” grep 'MAC Address:\

Alternative and fast portscanner using parallel and some nice output coloring (syntax)

Main subjects on this wiki: Linux, Debian, HTML, Microcontrollers, Privacy

Privacy statement
Bugs statement
Copyright © : 2014 - 2021 and the authors
Changes reserved.

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
network_nmap.txt · Last modified: 14-09-2021 22:36 by wim