Enter a Linux command to search for:
View our main Linux page

NMAP(1)                      Nmap Reference Guide                      NMAP(1)

       nmap - Network exploration tool and security / port scanner

       nmap [Scan Type...] [Options] {target specification}

       Nmap ("Network Mapper") is an open source tool for network exploration
       and security auditing. It was designed to rapidly scan large networks,
       although it works fine against single hosts. Nmap uses raw IP packets
       in novel ways to determine what hosts are available on the network,
       what services (application name and version) those hosts are offering,
       what operating systems (and OS versions) they are running, what type of
       packet filters/firewalls are in use, and dozens of other
       characteristics. While Nmap is commonly used for security audits, many
       systems and network administrators find it useful for routine tasks
       such as network inventory, managing service upgrade schedules, and
       monitoring host or service uptime.

       The output from Nmap is a list of scanned targets, with supplemental
       information on each depending on the options used. Key among that
       information is the "interesting ports table"..  That table lists the
       port number and protocol, service name, and state. The state is either
       open, filtered, closed, or unfiltered.  Open.  means that an
       application on the target machine is listening for connections/packets
       on that port.  Filtered.  means that a firewall, filter, or other
       network obstacle is blocking the port so that Nmap cannot tell whether
       it is open or closed.  Closed.  ports have no application listening on
       them, though they could open up at any time. Ports are classified as
       unfiltered.  when they are responsive to Nmap's probes, but Nmap cannot
       determine whether they are open or closed. Nmap reports the state
       combinations open|filtered.  and closed|filtered.  when it cannot
       determine which of the two states describe a port. The port table may
       also include software version details when version detection has been
       requested. When an IP protocol scan is requested (-sO), Nmap provides
       information on supported IP protocols rather than listening ports.

       In addition to the interesting ports table, Nmap can provide further
       information on targets, including reverse DNS names, operating system
       guesses, device types, and MAC addresses.

       A typical Nmap scan is shown in Example 1. The only Nmap arguments used
       in this example are -A, to enable OS and version detection, script
       scanning, and traceroute; -T4 for faster execution; and then the two
       target hostnames.

       Example 1. A representative Nmap scan

           # nmap -A -T4 scanme.nmap.org

           Nmap scan report for scanme.nmap.org (
           Host is up (0.029s latency).
           rDNS record for li86-221.members.linode.com
           Not shown: 995 closed ports
           PORT     STATE    SERVICE     VERSION
           22/tcp   open     ssh         OpenSSH 5.3p1 Debian 3ubuntu7 (protocol 2.0)
           | ssh-hostkey: 1024 8d:60:f1:7c:ca:b7:3d:0a:d6:67:54:9d:69:d9:b9:dd (DSA)
           |_2048 79:f8:09:ac:d4:e2:32:42:10:49:d3:bd:20:82:85:ec (RSA)
           80/tcp   open     http        Apache httpd 2.2.14 ((Ubuntu))
           |_http-title: Go ahead and ScanMe!
           646/tcp  filtered ldp
           1720/tcp filtered H.323/Q.931
           9929/tcp open     nping-echo  Nping echo
           Device type: general purpose
           Running: Linux 2.6.X
           OS CPE: cpe:/o:linux:linux_kernel:2.6.39
           OS details: Linux 2.6.39
           Network Distance: 11 hops
           Service Info: OS: Linux; CPE: cpe:/o:linux:kernel

           TRACEROUTE (using port 53/tcp)
           HOP RTT      ADDRESS
           [Cut first 10 hops for brevity]
           11  17.65 ms li86-221.members.linode.com (

           Nmap done: 1 IP address (1 host up) scanned in 14.40 seconds

       The newest version of Nmap can be obtained from http://nmap.org. The
       newest version of this man page is available at
       http://nmap.org/book/man.html.  It is also included as a chapter of
       Nmap Network Scanning: The Official Nmap Project Guide to Network
       Discovery and Security Scanning (see http://nmap.org/book/).

       This options summary is printed when Nmap is run with no arguments, and
       the latest version is always available at
       https://svn.nmap.org/nmap/docs/nmap.usage.txt. It helps people remember
       the most common options, but is no substitute for the in-depth
       documentation in the rest of this manual. Some obscure options aren't
       even included here.

           Nmap 6.40 ( http://nmap.org )
           Usage: nmap [Scan Type(s)] [Options] {target specification}
             Can pass hostnames, IP addresses, networks, etc.
             Ex: scanme.nmap.org, microsoft.com/24,; 10.0.0-255.1-254
             -iL : Input from list of hosts/networks
             -iR : Choose random targets
             --exclude : Exclude hosts/networks
             --excludefile : Exclude list from file
           HOST DISCOVERY:
             -sL: List Scan - simply list targets to scan
             -sn: Ping Scan - disable port scan
             -Pn: Treat all hosts as online -- skip host discovery
             -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
             -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
             -PO[protocol list]: IP Protocol Ping
             -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
             --dns-servers : Specify custom DNS servers
             --system-dns: Use OS's DNS resolver
             --traceroute: Trace hop path to each host
             -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
             -sU: UDP Scan
             -sN/sF/sX: TCP Null, FIN, and Xmas scans
             --scanflags : Customize TCP scan flags
             -sI : Idle scan
             -sY/sZ: SCTP INIT/COOKIE-ECHO scans
             -sO: IP protocol scan
             -b : FTP bounce scan
             -p : Only scan specified ports
               Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
             -F: Fast mode - Scan fewer ports than the default scan
             -r: Scan ports consecutively - don't randomize
             --top-ports : Scan  most common ports
             --port-ratio : Scan ports more common than 
             -sV: Probe open ports to determine service/version info
             --version-intensity : Set from 0 (light) to 9 (try all probes)
             --version-light: Limit to most likely probes (intensity 2)
             --version-all: Try every single probe (intensity 9)
             --version-trace: Show detailed version scan activity (for debugging)
           SCRIPT SCAN:
             -sC: equivalent to --script=default
             --script=:  is a comma separated list of
                      directories, script-files or script-categories
             --script-args=: provide arguments to scripts
             --script-args-file=filename: provide NSE script args in a file
             --script-trace: Show all data sent and received
             --script-updatedb: Update the script database.
             --script-help=: Show help about scripts.
                       is a comma separted list of script-files or
           OS DETECTION:
             -O: Enable OS detection
             --osscan-limit: Limit OS detection to promising targets
             --osscan-guess: Guess OS more aggressively
             Options which take 

View our main Linux page