What nmap Does
nmap sends crafted packets to target hosts and analyzes the responses to determine which hosts are reachable, which TCP and UDP ports are open, what services are running on those ports, and often which operating system is running. It works by exploiting the way TCP/IP stacks respond differently to various types of probe packets.
The tool has legitimate uses in every phase of network management: initial inventory of a new network, ongoing audit of firewall rules, verification that a newly deployed service is reachable, and identification of unexpected open ports that indicate misconfiguration or compromise. Only ever run nmap against systems you own or have explicit written authorization to scan — unauthorized scanning is illegal in most jurisdictions.
Scan Types
nmap supports multiple scanning techniques, each with different tradeoffs between speed, stealth, and required privileges.
| Flag | Scan Type | Requires Root | Notes |
|---|---|---|---|
-sS | SYN (half-open) scan | Yes | Default when run as root. Fast, leaves fewer log entries — never completes the handshake. |
-sT | TCP connect scan | No | Default for unprivileged users. Completes the full handshake — slower but works through NAT. |
-sU | UDP scan | Yes | Slow — UDP has no handshake; open ports often don't respond at all. |
-sn | Ping sweep (no port scan) | No | Just discovers which hosts are online. Fast way to inventory a subnet. |
-sV | Service version detection | No | Probes open ports to identify the service name and version. |
-O | OS detection | Yes | Fingerprints the TCP/IP stack against nmap's OS database. |
-A | Aggressive (OS + version + scripts) | Yes | Combines -O, -sV, script scanning, and traceroute in one pass. |
Basic Usage
The simplest scan probes the top 1,000 TCP ports on a single host:
nmap 192.168.1.1To scan your entire home subnet for live hosts without touching ports:
nmap -sn 192.168.1.0/24To scan specific ports, use -p. A single port, a range, or a comma-separated list all work:
nmap -p 22,80,443 192.168.1.1
nmap -p 1-1024 192.168.1.1
nmap -p- 192.168.1.1 # all 65535 portsReading nmap Output
Each port in the results has one of three states. Open means a service responded to the probe — the port is reachable and something is listening. Closed means the host is reachable but nothing is listening — it responded with a TCP RST. Filtered means nmap sent probes but got no response, typically because a firewall is silently dropping packets. Filtered ports are the hardest to interpret because silence is ambiguous.
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9 (protocol 2.0)
80/tcp open http nginx 1.24.0
443/tcp open ssl/http nginx 1.24.0
3306/tcp closed mysqlThe -sV flag adds the version column, which identifies the specific software and version behind each open port — useful for checking whether a service is up to date.
Timing Templates
nmap's -T flag controls the scan speed from 0 (paranoid — one probe every 5 minutes) to 5 (insane — maximum parallelism). -T3 is the default. -T4 is faster and appropriate for most local network scans. -T5 can cause packet loss on slow links and produce inaccurate results. For scanning over the internet, -T3 or -T2 is safer.
Saving Output
nmap can write results in several formats. -oN file.txt saves normal human-readable output. -oX file.xml saves structured XML that other tools can parse. -oG file.gnmap saves greppable output. -oA basename saves all three formats simultaneously with the given base filename.
nmap vs netstat and ss
An important distinction: netstat and ss show the socket state from inside the host — they read the kernel's socket table. nmap scans from outside the host — it sends actual network packets and observes responses. A port may show as LISTEN in netstat but appear filtered in nmap if a firewall intercepts the traffic before it reaches the host. Using both tools together gives a complete picture: netstat confirms a service is running, nmap confirms it is actually reachable from the network.
Frequently Asked Questions
Is nmap legal to use?
nmap is legal on networks and systems you own or have explicit written permission to scan. Unauthorized scanning is illegal under computer crime laws in most countries. Always restrict nmap to your own home network, servers you administer, or environments where you have documented authorization.
How do I scan all ports on a host with nmap?
Use nmap -p- [target] to scan all 65,535 TCP ports. By default nmap only scans the top 1,000 most commonly used ports. A full port scan takes longer — use -T4 to speed it up on a fast local network.
What is the difference between a SYN scan and a TCP connect scan?
A SYN scan (-sS) sends a SYN packet, waits for SYN-ACK, then sends RST without completing the handshake — it's faster and generates fewer log entries. A TCP connect scan (-sT) completes the full three-way handshake. The connect scan is slower but doesn't require root privileges and works correctly through NAT.
How do I scan an entire subnet with nmap?
Use CIDR notation: nmap 192.168.1.0/24 scans all 254 usable addresses. Add -sn for a ping sweep only — just discovering which hosts are online without scanning ports, which is much faster.
What does "filtered" mean in nmap output?
Filtered means nmap's probes got no response — a firewall is likely dropping the packets silently. This is distinct from "closed" (host responded with RST, port is reachable but nothing listening) and "open" (service responded). Filtered is the hardest state to interpret because silence could also mean the host is offline or the packets were lost in transit.
How do I detect the OS of a remote host with nmap?
Use sudo nmap -O [target]. nmap compares the target's TCP/IP stack behavior against its fingerprint database and reports the most likely OS with a confidence percentage. OS detection is most accurate when at least one open and one closed port are discovered on the target.