Enter a Linux command to search for:
View our main Linux page

NMAP(1)                      Nmap Reference Guide                      NMAP(1)

       nmap - Network exploration tool and security / port scanner

       nmap [Scan Type...] [Options] {target specification}

       Nmap ("Network Mapper") is an open source tool for network exploration
       and security auditing. It was designed to rapidly scan large networks,
       although it works fine against single hosts. Nmap uses raw IP packets
       in novel ways to determine what hosts are available on the network,
       what services (application name and version) those hosts are offering,
       what operating systems (and OS versions) they are running, what type of
       packet filters/firewalls are in use, and dozens of other
       characteristics. While Nmap is commonly used for security audits, many
       systems and network administrators find it useful for routine tasks
       such as network inventory, managing service upgrade schedules, and
       monitoring host or service uptime.

       The output from Nmap is a list of scanned targets, with supplemental
       information on each depending on the options used. Key among that
       information is the "interesting ports table"..  That table lists the
       port number and protocol, service name, and state. The state is either
       open, filtered, closed, or unfiltered.  Open.  means that an
       application on the target machine is listening for connections/packets
       on that port.  Filtered.  means that a firewall, filter, or other
       network obstacle is blocking the port so that Nmap cannot tell whether
       it is open or closed.  Closed.  ports have no application listening on
       them, though they could open up at any time. Ports are classified as
       unfiltered.  when they are responsive to Nmap's probes, but Nmap cannot
       determine whether they are open or closed. Nmap reports the state
       combinations open|filtered.  and closed|filtered.  when it cannot
       determine which of the two states describe a port. The port table may
       also include software version details when version detection has been
       requested. When an IP protocol scan is requested (-sO), Nmap provides
       information on supported IP protocols rather than listening ports.

       In addition to the interesting ports table, Nmap can provide further
       information on targets, including reverse DNS names, operating system
       guesses, device types, and MAC addresses.

       A typical Nmap scan is shown in Example 1. The only Nmap arguments used
       in this example are -A, to enable OS and version detection, script
       scanning, and traceroute; -T4 for faster execution; and then the two
       target hostnames.

       Example 1. A representative Nmap scan

           # nmap -A -T4 scanme.nmap.org

           Starting Nmap ( http://nmap.org )
           Interesting ports on scanme.nmap.org (
           Not shown: 994 filtered ports
           22/tcp  open   ssh     OpenSSH 4.3 (protocol 2.0)
           25/tcp  closed smtp
           53/tcp  open   domain  ISC BIND 9.3.4
           70/tcp  closed gopher
           80/tcp  open   http    Apache httpd 2.2.2 ((Fedora))
           |_ HTML title: Go ahead and ScanMe!
           113/tcp closed auth
           Device type: general purpose
           Running: Linux 2.6.X
           OS details: Linux 2.6.20-1 (Fedora Core 5)

           TRACEROUTE (using port 80/tcp)
           HOP RTT   ADDRESS
           [Cut first seven hops for brevity]
           8   10.59 so-4-2-0.mpr3.pao1.us.above.net (
           9   11.00 metro0.sv.svcolo.com (
           10  9.93  scanme.nmap.org (

           Nmap done: 1 IP address (1 host up) scanned in 17.00 seconds

       The newest version of Nmap can be obtained from http://nmap.org. The
       newest version of this man page is available at
       http://nmap.org/book/man.html.  It is also included as a chapter of
       Nmap Network Scanning: The Official Nmap Project Guide to Network
       Discovery and Security Scanning (see http://nmap.org/book/).

       This options summary is printed when Nmap is run with no arguments, and
       the latest version is always available at
       http://nmap.org/data/nmap.usage.txt. It helps people remember the most
       common options, but is no substitute for the in-depth documentation in
       the rest of this manual. Some obscure options aren't even included

           Nmap 5.21 ( http://nmap.org )
           Usage: nmap [Scan Type(s)] [Options] {target specification}
             Can pass hostnames, IP addresses, networks, etc.
             Ex: scanme.nmap.org, microsoft.com/24,; 10.0.0-255.1-254
             -iL : Input from list of hosts/networks
             -iR : Choose random targets
             --exclude : Exclude hosts/networks
             --excludefile : Exclude list from file
           HOST DISCOVERY:
             -sL: List Scan - simply list targets to scan
             -sP: Ping Scan - go no further than determining if host is online
             -PN: Treat all hosts as online -- skip host discovery
             -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
             -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
             -PO[protocol list]: IP Protocol Ping
             -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
             --dns-servers : Specify custom DNS servers
             --system-dns: Use OS's DNS resolver
             --traceroute: Trace hop path to each host
             -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
             -sU: UDP Scan
             -sN/sF/sX: TCP Null, FIN, and Xmas scans
             --scanflags : Customize TCP scan flags
             -sI : Idle scan
             -sY/sZ: SCTP INIT/COOKIE-ECHO scans
             -sO: IP protocol scan
             -b : FTP bounce scan
             -p : Only scan specified ports
               Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
             -F: Fast mode - Scan fewer ports than the default scan
             -r: Scan ports consecutively - don't randomize
             --top-ports : Scan  most common ports
             --port-ratio : Scan ports more common than 
             -sV: Probe open ports to determine service/version info
             --version-intensity : Set from 0 (light) to 9 (try all probes)
             --version-light: Limit to most likely probes (intensity 2)
             --version-all: Try every single probe (intensity 9)
             --version-trace: Show detailed version scan activity (for debugging)
           SCRIPT SCAN:
             -sC: equivalent to --script=default
             --script=:  is a comma separated list of
                      directories, script-files or script-categories
             --script-args=: provide arguments to scripts
             --script-trace: Show all data sent and received
             --script-updatedb: Update the script database.
           OS DETECTION:
             -O: Enable OS detection
             --osscan-limit: Limit OS detection to promising targets
             --osscan-guess: Guess OS more aggressively
             Options which take 

View our main Linux page