nmap Command in Linux with Practical Examples

When you need to see which hosts are online, which ports are open, or which service is listening on a remote system, nmap is usually the first tool to reach for. It is widely used for network inventory, service discovery, troubleshooting, and security reviews.

The nmap command can also detect service versions, guess the remote operating system, and run scripts for deeper checks. This guide explains the most useful nmap options in Linux through practical examples.

nmap Command Syntax #

Use the following syntax when running nmap:

nmap [OPTIONS] TARGET...

• OPTIONS - Scan type, host discovery, output, and detection flags such as -sn, -Pn, -sV, or -p.
• TARGET - One or more IP addresses, hostnames, CIDR ranges, or target lists.

Installing Nmap #

Nmap is available on all major operating systems, including Linux, BSD, macOS, and Windows.

If you prefer a GUI, Nmap also ships with Zenmap .

Official packages and installers are available from the Nmap download page .

Ubuntu, Debian, and Derivatives #

Nmap is available from the default Ubuntu and Debian repositories. To install it, run:

sudo apt update
sudo apt install nmap

Fedora, RHEL, and Derivatives #

On Fedora and other Red Hat derivatives, run:

sudo dnf install nmap

macOS #

macOS users can install Nmap by downloading the “.dmg” installation package from the Nmap site or via Homebrew:

brew install nmap

Windows #

The easiest way to install Nmap on Windows is to download and run the installer from the official site.

You can run it from Command Prompt, PowerShell, or Zenmap. For more details, check the post-install usage instructions .

Run a Basic nmap Scan #

Nmap is typically used to audit network security, network mapping, identify open ports, and search for online devices. For quick single-port checks or simple TCP/UDP tests, netcat is a lightweight alternative.

The simplest scan targets a single host without any extra options:

nmap scanme.nmap.org

When you run nmap as a regular user without raw packet privileges, it falls back to a TCP connect scan (-sT). That means Nmap asks the operating system to complete the TCP connection instead of crafting raw SYN packets itself.

The output includes the responsive host, latency, and the ports Nmap found open or filtered:

Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-16 20:19 CET
Nmap scan report for cast.lan (192.168.10.121)
Host is up (0.048s latency).
Not shown: 981 closed ports
PORT     STATE    SERVICE
21/tcp   open     ftp
22/tcp   open     ssh
25/tcp   open     smtp
53/tcp   open     domain
80/tcp   open     http
110/tcp  open     pop3
143/tcp  open     imap
443/tcp  open     https
587/tcp  open     submission
993/tcp  open     imaps
995/tcp  open     pop3s
1025/tcp open     NFS-or-IIS
1080/tcp open     socks
8080/tcp open     http-proxy
8081/tcp open     blackice-icecap

Nmap done: 1 IP address (1 host up) scanned in 1.78 seconds

In this example, Nmap reports several open TCP ports such as 22/tcp for SSH and 443/tcp for HTTPS. “Not shown” tells you how many scanned ports were closed and therefore omitted from the main list.

When to Use sudo nmap #

The most common follow-up question is when to run sudo nmap. On Linux, privileged scans allow Nmap to use raw packets, which enables SYN scanning (-sS) and some advanced detection features.

Run this command to use the default privileged TCP SYN scan:

sudo nmap 192.168.10.121

With sudo, Nmap usually switches to SYN scan (-sS). This is generally faster and lighter than a full TCP connect scan, which is why queries such as sudo nmap are so common.

If you want to be explicit, specify the scan type directly:

sudo nmap -sS 192.168.10.121

Use -v or -vv for more detailed progress information:

sudo nmap -vv 192.168.10.121

To perform a UDP scan, run nmap as root and add -sU:

sudo nmap -sU 192.168.10.121

UDP scans are slower because UDP does not confirm closed ports the same way TCP does. For that reason, it is often better to target only the ports you care about.

Nmap also supports IPv6 targets. To scan an IPv6 host, use -6:

sudo nmap -6 fd12:3456:789a:1::1

Specify Target Hosts #

Nmap treats every non-option argument as a target host.

The simplest form is to pass one or more IP addresses or hostnames:

nmap 192.168.10.121 host.to.scan

Use CIDR notation to scan a network range:

nmap 192.168.10.0/24

You can also use octet ranges. This example scans 192.168.10.1, 192.168.11.1, and 192.168.12.1:

nmap 192.168.10-12.1

Commas let you define multiple values in the same octet:

nmap 192.168.10,11,12.1

You can combine these forms in one command:

nmap 10.8-10.10,11,12.0/28 192.168.1-2.100,101

If you want to confirm the target list before scanning, use -sL:

nmap -sL 10.8-10.10,11,12.0/28 192.168.1-2.100,101

This lists the targets without performing a scan, which is useful when you are working with a large or complex range.

To exclude one or more hosts from a range, use --exclude:

nmap 10.8-10.10,11,12.0/28 --exclude 10.10.12.12

Scan Specific Ports #

By default, Nmap performs a quick scan for the 1000 most popular ports. These ports are not the first 1000 consecutive ports, but the 1000 most commonly used ports ranging from 1 to 65389.

To scan for all ports from 1 through 65535, use the -p- option:

nmap -p- 192.168.10.121

Each port can be in one of the following states:

• open - A service on the target accepted the connection or probe.
• closed - The host responded, but nothing is listening on that port.
• filtered - A firewall, packet filter, or network rule prevented Nmap from confirming the port state.

Ports and port ranges are specified with -p.

To scan only port 443, run:

nmap -p 443 192.168.10.121

To scan multiple ports, separate them with commas:

nmap -p 80,443 192.168.10.121

Use a dash for ranges. This example scans UDP ports 1 through 1024:

sudo nmap -sU -p 1-1024 192.168.10.121

You can combine ranges and individual ports:

nmap -p 1-1024,8080,9000 192.168.10.121

You can also use service names. For example, this scans the SSH port:

nmap -p ssh 192.168.10.121

Discover Live Hosts with -sn #

To perform host discovery without a port scan, use -sn:

sudo nmap -sn 192.168.10.0/24

This tells Nmap to find which hosts are up and skip the port scan stage. It is useful when you want a fast inventory of live systems on a subnet before deciding what to scan next.

Skip Host Discovery with -Pn #

By default, Nmap performs host discovery first and scans only hosts it believes are online. That behavior is efficient, but it can miss hosts when firewalls drop discovery probes.

Use -Pn to skip host discovery and treat every target as online:

sudo nmap -Pn 192.168.10.121

This is especially useful when a host blocks ping or other discovery probes but still has open ports you want to test. The tradeoff is speed: -Pn can make large scans much slower because Nmap attempts the requested scan against every target you specify.

If you see guidance online for -P0 or -PN, that refers to older Nmap syntax. The current option is -Pn.

Disable DNS Name Resolution #

Nmap’s default behavior is to perform reverse-DNS resolution for each discovered host, which increases the scan time.

When scanning large ranges, disabling DNS lookups can make the scan noticeably faster. Use -n:

sudo nmap -n 192.168.10.0/16

Detect Services, Versions, and OS Details #

To identify the service and version behind an open port, use -sV:

sudo nmap -sV scanme.nmap.org

This helps when the port number alone is not enough, especially if a service is running on a non-standard port.

...
PORT      STATE    SERVICE      VERSION
19/tcp    filtered chargen
22/tcp    open     ssh          OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
80/tcp    open     http         Apache httpd 2.4.7 ((Ubuntu))
135/tcp   filtered msrpc
139/tcp   filtered netbios-ssn
445/tcp   filtered microsoft-ds
9929/tcp  open     nping-echo   Nping echo
31337/tcp open     tcpwrapped
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
...

To attempt operating system detection, use -O:

sudo nmap -O scanme.nmap.org

If Nmap can fingerprint the remote system, the output looks similar to this:

...
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5
OS details: Linux 5.0 - 5.4
Network Distance: 18 hops

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.47 seconds

If you want OS detection, version detection, default scripts, and traceroute in one command, use -A:

sudo nmap -A 192.168.10.121

Aggressive scan mode is useful during focused testing, but it is heavier and slower than a basic scan. It is usually better to start small and add options as needed.

Save nmap Output #

By default, Nmap prints the information to standard output (stdout).

If you scan a large network or need to keep the results, save the output to a file.

To save the normal human-readable output, use -oN:

sudo nmap -sU -p 1-1024 192.168.10.121 -oN output.txt

To save XML output for later parsing or import into other tools, use -oX:

sudo nmap -sU -p 1-1024 192.168.10.121 -oX output.xml

If you want normal, XML, and grepable output files in one run, use -oA with a base filename:

sudo nmap -sV 192.168.10.121 -oA scan-results

This creates files such as scan-results.nmap and scan-results.xml.

Nmap still supports grepable output with -oG, which can be processed with tools such as grep , awk , and cut . However, the Nmap documentation treats grepable output as deprecated, so XML is the better choice for new automation.

Use the Nmap Scripting Engine #

One of the most powerful features of Nmap is its scripting engine. Nmap ships with hundreds of scripts , and you can also write your own scripts in the Lua language.

You can use scripts to gather extra information, test specific services, and automate common checks.

For example, this script checks a web target against a malware host list:

nmap -sV --script http-malware-host scanme.nmap.org

Because NSE scripts range from simple information gathering to intrusive checks, review the script before running it against production systems.

Quick Reference #

Troubleshooting #

Host appears down, but you know it is online
Try -Pn to skip host discovery. Some firewalls drop the probes Nmap uses to decide whether a host is up.

UDP scan is taking too long
Limit the ports with -p instead of scanning large UDP ranges. UDP scans are slower and often return less clear feedback than TCP scans.

DNS lookups are slowing the scan
Add -n to skip reverse DNS resolution, especially when scanning large networks.

You are not seeing SYN scan behavior
Run the command with sudo or specify -sS. Without raw packet privileges, Nmap falls back to TCP connect scan.

Conclusion #

The nmap command is one of the most useful Linux tools for host discovery, port scanning, and service detection. If you want a lighter tool for quick socket tests, see netcat next.

About the authors

Dejan Panovski

Dejan Panovski is the founder of Linuxize, an RHCSA-certified Linux system administrator and DevOps engineer based in Skopje, Macedonia. Author of 800+ Linux tutorials with 20+ years of experience turning complex Linux tasks into clear, reliable guides.

View author page