Linux Commands

Nmap Commands for Beginners: Simple Scanning Tips

Learn essential Nmap commands for beginners, from basic scans to advanced techniques, in this comprehensive guide.

Last updatedAuthorJoshua JamesRead time13 minGuide typeLinux Commands
Futuristic digital artwork showing Nmap terminal windows and a glowing radar grid scanning a network

Network checks go wrong fast when the target range is too broad or the scan type does not match the question. The core Nmap commands in Linux keep the first pass controlled: list targets, find live hosts, scan chosen TCP or UDP ports, identify services, and save results before moving into heavier scans.

Only scan networks and systems you own or have explicit written permission to test. Unauthorized scanning can violate laws, contracts, and acceptable-use policies. Practice on your own network, an authorized lab, or the public scanme.nmap.org host that the Nmap project provides for learning.

Understand Nmap Commands in Linux

How Nmap Probes Your Network

Nmap sends small network probes to a target and records the replies. A simple scan answers whether common TCP ports are open, while extra flags can switch to host discovery, UDP checks, service fingerprinting, operating-system guesses, or report output.

The target can be one host, a hostname, a CIDR subnet, an octet range, or a file of approved targets. Start with the smallest scope that answers your question, then widen the scan only when the first result is not enough.

Basic Nmap Command Syntax

Nmap commands follow this pattern:

nmap [scan_type] [scan_options] <target_specification>
  • scan_type: Optional flags that change how Nmap probes a host, such as -sS for TCP SYN scans, -sT for TCP connect scans, or -sU for UDP scans.
  • scan_options: Modifiers that adjust ports, timing, output, or detection features, including -p, -T4, -v, -sV, and -oN.
  • <target_specification>: The host or network to scan, such as 192.168.1.50, scanme.nmap.org, 192.168.1.0/24, or a file supplied with -iL.

Essential Nmap Command Quick Reference

TaskCommand PatternWhat It Does
Scan one hostnmap 192.168.1.50Scans the default set of common TCP ports on one target.
Find live hostsnmap -sn 192.168.1.0/24Runs host discovery without a port scan.
List targets firstnmap -sL 192.168.1.0/29Expands a target range without sending probes to those hosts.
Scan selected portsnmap -p 22,80,443 192.168.1.50Checks only the ports you name.
Scan all TCP portsnmap -p- 192.168.1.50Checks TCP ports 1 through 65535.
Quick scannmap -F 192.168.1.50Scans fewer common ports than the default scan.
Check UDP portssudo nmap -sU -p 53,123,161 192.168.1.50Scans selected UDP ports, which are slower and less predictable than TCP.
Detect servicesnmap -sV 192.168.1.50Fingerprints open ports to identify service names and versions.
Save normal outputnmap -oN scan-results.txt 192.168.1.50Writes the human-readable report to a file.

A plain nmap target command scans TCP ports only. By default, Nmap scans the most common 1,000 ports for each scanned protocol; add -sU when you specifically need UDP. With root privileges, the default TCP scan is usually a SYN scan; without raw-packet privileges, Nmap falls back to a TCP connect scan.

Default Nmap Scan Example

Scan the public Nmap practice host when you want a safe external example:

nmap scanme.nmap.org

A default scan checks common TCP ports and reports their state. The exact open ports can change, but the output layout stays consistent:

Starting Nmap 7.98 ( https://nmap.org )
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up.
Not shown: 997 closed tcp ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
9929/tcp open  nping-echo
Nmap done: 1 IP address (1 host up) scanned in 2.20 seconds

PORT shows the protocol and port number, STATE shows how Nmap interpreted the response, and SERVICE shows the common service name for that port.

Install Nmap on Linux

Many Linux systems do not install Nmap by default, but the package is available from the major distribution repositories. Check for the binary first:

command -v nmap

Expected output shows the installed path:

/usr/bin/nmap

If the command is missing, install Nmap with your distribution’s package manager.

Ubuntu and Debian-based distributions:

sudo apt update
sudo apt install nmap

Fedora, RHEL, Rocky Linux, and AlmaLinux:

sudo dnf install nmap

Arch Linux and Manjaro:

sudo pacman -S nmap

openSUSE:

sudo zypper install nmap

Alpine Linux:

sudo apk add nmap

Gentoo:

sudo emerge --ask net-analyzer/nmap

Void Linux:

sudo xbps-install -S nmap

Check the Installed Nmap Version

Print the first version line after installation:

nmap --version | sed -n '1p'

Relevant output starts with the Nmap version line:

Nmap version 7.98 ( https://nmap.org )

The exact number varies because distributions package different Nmap releases.

For distro-specific package details, use Install Nmap on Ubuntu, Install Nmap on Debian, Install Nmap on Fedora, or Install Nmap on Arch Linux. Ncat belongs to the Nmap project, but it is a different command for reading and writing network connections; use nmap for scanning.

Practical Nmap Command Examples and Use Cases

These common scenarios show which Nmap command pattern fits the job:

  • Home network inventory: Discover connected devices and spot unknown systems with nmap -sn 192.168.1.0/24 before you run a deeper scan.
  • Server security audit: Before deploying a server to production, scan it to verify only intended services are exposed. For instance, run sudo nmap -sV -p- 203.0.113.10 to check all TCP ports and service versions on an authorized server.
  • Troubleshooting connectivity: When a service is not responding, use Nmap to verify whether the port is open and what is running. Example: nmap -p 22,80,443 192.168.1.50 quickly checks SSH and web services.
  • Vulnerability assessment preparation: Identify software versions running on network devices so you can check the exposed services against vendor advisories or CVE databases. The -sV flag reveals version details when the service responds to fingerprinting probes.
  • Learning network protocols: Practice in lab environments to see how TCP, UDP, filtering, and service banners change scan results.

Specify Targets with Nmap Commands

Nmap accepts single hosts, subnet notation, address ranges, and input files. Confirm the target form before you run a real scan, especially when a range could expand into more hosts than expected.

Nmap Command for Scanning a Single Host (IP or Hostname)

The simplest scan targets one approved IP address or hostname.

Command:

nmap 192.168.1.50

Alternatively, using a hostname:

nmap scanme.nmap.org

This command performs a default scan against the specified host. If you provide a hostname, Nmap resolves it with DNS before scanning. The official Nmap target specification documentation covers the full target syntax.

Relevant output includes:

Starting Nmap 7.98 ( https://nmap.org )
Nmap scan report for 192.168.1.50
Host is up (0.0020s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
443/tcp  open  https
Nmap done: 1 IP address (1 host up) scanned in 4.52 seconds

Interpreting the Output:

  • Host is up: Confirms the target is online and responsive.
  • Not shown: 997 filtered ports: Indicates that out of the default 1000 ports scanned, 997 did not respond or their state could not be definitively determined (often due to a firewall).
  • PORT STATE SERVICE: Lists the open ports, their state (e.g., open), and the common service associated with that port (e.g., SSH for port 22).

Understand Nmap Port States

Nmap port states are compact, but each one carries a different next step. open means an application accepted the probe, closed means the host replied but no service is listening there, and filtered usually means a firewall or packet filter blocked a clear answer.

You may also see unfiltered in ACK-style scans or open|filtered when Nmap cannot tell whether a UDP or unusual TCP port is open or silently filtered. Treat those mixed states as a prompt to narrow the ports, check firewall policy, or add service detection instead of assuming the service is reachable.

Nmap Command for Scanning an Entire Subnet (CIDR Notation)

To scan an entire network segment, CIDR (Classless Inter-Domain Routing) notation is commonly used.

Run the scan against the subnet you own or administer:

nmap 192.168.1.0/24

This scans all 256 addresses in 192.168.1.0/24, from 192.168.1.0 through 192.168.1.255. Use -sn instead when you only need to discover live hosts and do not want a port scan.

A subnet scan expands quickly. Use -sL first when you are not sure how many addresses a target expression covers.

Nmap Commands for Octet Range Scanning

For more granular control than CIDR, you can specify ranges for parts (octets) of an IP address.

Command:

nmap 192.168.1.100-150

This command scans IP addresses from 192.168.1.100 to 192.168.1.150. You can use ranges in any octet, so 192.168.1-3.100 expands to 192.168.1.100, 192.168.2.100, and 192.168.3.100.

Nmap Command for Scanning Targets from a File -iL

For repeatable scans, save approved targets in a file and tell Nmap to read from it.

File Content (e.g., targets.txt):

192.168.1.1
192.168.1.2
scanme.nmap.org
10.0.0.0/24

Command:

nmap -iL targets.txt

Nmap reads each line from targets.txt and scans the specified hosts or networks. Each entry can use normal Nmap target syntax, including IP addresses, hostnames, CIDR ranges, and octet ranges. The official input-file documentation explains the full -iL behavior.

Discover Hosts with Nmap Commands

Host discovery decides which targets are alive before a port scan begins. Use these commands when you need a network inventory, a dry run of your target list, or a way around blocked ping probes.

Nmap Ping Scan Command for Host Discovery -sn

Use a ping scan when you only need to determine which devices are online. Despite the name, Nmap may use ICMP, TCP, ARP, or other discovery probes depending on privileges and network type.

Command:

nmap -sn 192.168.1.0/24

The -sn flag performs host discovery only and skips the port-scan phase. The same concept is called a ping scan in Zenmap, Nmap’s graphical frontend. The official host discovery documentation describes the probe mix Nmap can use.

Sample Output:

Starting Nmap 7.98 ( https://nmap.org )
Nmap scan report for 192.168.1.1
Host is up (0.0023s latency).
MAC Address: AA:BB:CC:DD:EE:FF (Vendor Name)
Nmap scan report for 192.168.1.2
Host is up (0.0018s latency).
MAC Address: 11:22:33:44:55:66 (Another Vendor)
Nmap done: 256 IP addresses (2 hosts up) scanned in 3.21 seconds

Interpreting the Output:

  • In this case, the output lists only the hosts that responded, showing they are online.
  • If Nmap can determine it, it will also show the MAC address and the vendor of the network interface card, which can help identify the device type on local networks.

Nmap List Scan Command -sL to Preview Targets

List scan expands the target expression without sending probes to the targets. Use it before CIDR or octet ranges that might cover more systems than intended.

Command:

nmap -sL 192.168.1.0/29

By default, Nmap may resolve names for listed targets unless you add -n. The scan summary reports zero hosts up because no discovery probes were sent. See the official list scan documentation for details.

Sample Output:

Starting Nmap 7.98 ( https://nmap.org )
Nmap scan report for 192.168.1.0
Nmap scan report for 192.168.1.1
Nmap scan report for 192.168.1.2
Nmap scan report for 192.168.1.3
Nmap scan report for 192.168.1.4
Nmap scan report for 192.168.1.5
Nmap scan report for 192.168.1.6
Nmap scan report for 192.168.1.7
Nmap done: 8 IP addresses (0 hosts up) scanned in 0.12 seconds

Nmap Command to Treat All Hosts as Online -Pn

Some hosts block Nmap’s discovery probes even though their services are reachable. In that case, skip host discovery and scan the selected ports directly.

Command:

nmap -Pn 192.168.1.50

The -Pn option tells Nmap to assume each target is online. It is uppercase P and lowercase n; there is no -pan flag, and Nmap options are case-sensitive. See the official -Pn documentation for details.

Use -Pn with narrow target ranges. It makes Nmap try the port scan against every listed address, so large mostly-offline ranges can take much longer.

Scan Ports and Services with Advanced Nmap Commands

Choose Between Nmap SYN and Connect Scans

A TCP SYN scan uses -sS, sends a SYN packet, and usually requires root privileges because it uses raw packets. It is fast and avoids completing the TCP handshake.

sudo nmap -sS 192.168.1.50

A TCP connect scan uses -sT, completes the normal TCP handshake through the operating system, and works without root privileges. It is useful when you cannot use sudo, but it is usually slower and easier for the target service to log.

nmap -sT 192.168.1.50

Nmap Port Scanning Commands for Specific Ports -p

Use -p when you want to limit the scan to specific ports or port ranges.

Scan TCP ports 1 through 1000:

nmap -p 1-1000 192.168.1.50

The -p flag accepts single ports, comma-separated lists, ranges, protocol prefixes, and -p- for every TCP port from 1 through 65535. The official Nmap port specification documentation covers the complete syntax.

Common Port Scan Variations:

  • Scan specific ports: nmap -p 22,80,443 192.168.1.50
  • Scan TCP ports: nmap -p T:21,22,25,80,443 192.168.1.50 (default is TCP)
  • Scan UDP ports: sudo nmap -sU -p U:53,161,162 192.168.1.50 (UDP scans are slower and often return open|filtered)
  • Scan top N ports: nmap --top-ports 20 192.168.1.50 (scans the most common ports according to Nmap’s service frequency data)
  • Scan all TCP ports: nmap -p- 192.168.1.50 or nmap -p 1-65535 192.168.1.50

Focused port ranges reduce scan time and network noise. Use -p- only when you genuinely need every TCP port, and combine it with a narrow target list.

Nmap Fast Scan Command -F

Use fast scan mode when you need a quick first look at common services.

Command:

nmap -F 192.168.1.50

The -F option scans fewer ports than the default 1,000-port scan. Normally, that reduced set is 100 ports selected from Nmap’s nmap-services data. The official fast scan documentation explains how Nmap chooses that set.

Nmap UDP Port Scan Command -sU

UDP scans are slower than TCP scans because many UDP services stay silent unless they receive the exact application payload they expect. Scan a small set of UDP ports first.

sudo nmap -sU -p 53,123,161 192.168.1.50

Common UDP results include open, closed, filtered, and open|filtered. If a UDP result is ambiguous, narrow the target, add service detection, or confirm from the service side instead of treating silence as proof that the port is open.

Nmap Commands for Service and Version Detection -sV

Knowing a port is open is useful, but knowing what service (and its version) is running on that port is even better. The -sV flag enables service and version detection.

Command:

nmap -sV 192.168.1.50

After discovering open ports, -sV sends service probes to identify the application and, when possible, its version. Use the result as a starting point for patch review; some services hide or alter banner details. The official version detection documentation explains the probe behavior.

Example Output:

Starting Nmap 7.98 ( https://nmap.org )
Nmap scan report for 192.168.1.50
Host is up (0.0021s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.54 ((Debian))
443/tcp  open  ssl/http Apache httpd 2.4.54 ((Debian)) (SSL-Apache/2.4.54 OpenSSL/1.1.1n)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap done: 1 IP address (1 host up) scanned in 12.38 seconds

Interpreting the Output:

  • The VERSION column now shows detailed information about the software running on each port.
  • Service Info may provide additional details like the operating system guessed by Nmap based on the services.
  • Version strings such as OpenSSH 8.4p1 help you decide which vendor advisory or package update to check next.

Nmap OS Detection Command -O

OS detection compares target responses against Nmap’s fingerprint database. It works best against nearby hosts with at least one open and one closed port.

Command:

sudo nmap -O 192.168.1.50

The -O option usually requires root privileges because Nmap needs raw-packet access for its OS probes. Treat the result as a fingerprint guess, not an inventory source of truth. The official OS detection documentation explains the method and limits.

Example Output Snippet:

Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5.x
OS details: Linux 5.4 - 5.15
Network Distance: 1 hop

The -A option enables OS detection, version detection, script scanning, and traceroute in one scan. Use it only on authorized targets because it is much noisier than a basic port scan.

Tune Nmap Timing and Output Controls

Timing and output controls make Nmap easier to follow during long scans, less likely to overwhelm a target, and easier to save for later review.

Nmap Command for Increasing Scan Verbosity -v and -vv

To get more detailed information about what Nmap is doing during a scan, use the verbosity options.

Command:

nmap -v 192.168.1.50

Or for even more detail:

nmap -vv 192.168.1.50

The -v option prints more progress and scan detail. Use -vv when you need even more live feedback from a longer scan.

Control Nmap Timing Templates -T0 Through -T5

Timing templates change how aggressively Nmap sends probes. -T3 is the normal baseline, -T4 is common on reliable local networks, and -T5 can miss results on slow or filtered networks. The official Nmap performance documentation explains the template names and tradeoffs.

nmap -T4 -F 192.168.1.50

Use slower templates such as -T2, -T1, or -T0 only when you have a clear reason to reduce scan rate. They can turn a normal scan into a very long run.

Nmap Command for Saving Scan Output to a File -oN

For longer scans or for keeping records, saving the output to a file is essential.

Command:

nmap -oN scan-results.txt 192.168.1.50

The -oN option saves normal, human-readable output to the file you name. Nmap also supports XML with -oX, grepable output with -oG, and all three formats at once with -oA basename. You can later review saved normal output with tools such as grep or sed. The official Nmap output documentation covers each format.

Use Nmap Commands Safely and Effectively

Good Nmap habits come from controlling scope, adding options gradually, and saving results before changing the scan again.

Start Nmap Scans with Narrow Scope

  • Start simple: Begin with one host or a small subnet, such as nmap 192.168.1.50 or nmap -sn 192.168.1.0/24.
  • Keep permission clear: Scan only networks and devices you own or have explicit permission to test.
  • Preview target ranges: Run nmap -sL before broad CIDR or octet ranges so you know what Nmap will touch.

Build Nmap Options Incrementally

  • Add one option at a time: Start with nmap -p 22,80,443 192.168.1.50, then add -sV only when you need service fingerprints.
  • Use -Pn carefully: It solves blocked discovery probes, but it also makes Nmap scan every listed address.
  • Separate TCP and UDP questions: Use a normal TCP scan first, then scan selected UDP ports with -sU when you have a reason.

Save and Review Nmap Results

  • Use the manual for edge cases: Check man nmap or the official Nmap reference guide when a scan type has privilege, timing, or protocol-specific behavior.
  • Use verbosity on long scans: Add -v when version detection, OS detection, UDP scanning, or script scanning appears stalled.
  • Use -F for quick checks: Run nmap -F 192.168.1.50 when you only need a fast first pass.
  • Save results for comparison: Use -oN scan-results.txt for a readable report or -oA scan-baseline when you also want XML and grepable files.

Troubleshoot Common Nmap Issues for Beginners

Most beginner Nmap problems come from target discovery, privileges, scan scope, or an option typo. Match the error text first, then rerun a narrower verification scan.

Nmap Says the Host Appears Down

Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 2.03 seconds

The target may be blocking discovery probes while still allowing specific service ports. Scan a small approved port set with -Pn:

nmap -Pn -p 22,80,443 192.168.1.50

If the output now shows a PORT STATE SERVICE table, host discovery was the blocked stage. Keep -Pn scoped to known hosts or small ranges.

Nmap Needs Root Privileges for the Scan Type

You requested a scan type which requires root privileges.
QUITTING!

Raw-packet scan types such as -sS, -O, and many UDP workflows need elevated privileges. Rerun the scan with sudo when you administer the system:

sudo nmap -sS 192.168.1.50

When you cannot use root privileges, switch to a TCP connect scan:

nmap -sT 192.168.1.50

Nmap Scans Take Too Long

Long scans usually come from broad host ranges, all-port scans, UDP scans, or -Pn against many offline hosts. Reduce the target and port scope first:

nmap -F 192.168.1.50
nmap -p 22,80,443 192.168.1.50
sudo nmap -sU -p 53,123 192.168.1.50

Add -v when you need progress feedback. Use -T4 only on reliable networks where you control the targets, and fall back to -T3 if results look incomplete.

Nmap Shows No Service Version Information

A normal scan reports service names from port mappings, not application fingerprints. Add -sV when you need version detection:

nmap -sV -p 22,80,443 192.168.1.50

If the service still does not identify itself, it may hide banners, reject probes, or sit behind filtering. You can increase probe intensity when the target is authorized:

nmap -sV --version-intensity 9 -p 22,80,443 192.168.1.50

Nmap Reports Too Many Open Files

NSOCK ERROR: Failed to open socket: Too many open files

This can happen when a large scan opens more sockets than the current shell limit allows. Check the limit, reduce parallelism, or split the scan into smaller chunks:

ulimit -n
nmap --max-parallelism 10 -p 22,80,443 192.168.1.0/28

If the smaller range completes, repeat the scan in manageable subnets instead of raising limits blindly.

Nmap Rejects an Unknown -pan Option

Unknown option: -pan

The common search phrase -pan is usually a mistyped version of -Pn. Use uppercase P and lowercase n:

nmap -Pn 192.168.1.50

Verify option spelling against the built-in help when another flag is rejected:

nmap --help

Conclusion on Nmap Commands for Beginners

Nmap is ready for controlled host discovery, port checks, service detection, and saved reports on systems you are allowed to test. Keep routine scans narrow, use scanme.nmap.org or your own lab for practice, and move to the Nmap Scripting Engine documentation when basic scanning is no longer enough.

Share this guide

Help another Linux user troubleshoot faster

Share this guide with someone troubleshooting Linux systems or saving it for later.

BlueskyRedditXTumblrFacebookLinkedIn
Follow LinuxCapable

Want more LinuxCapable guides in Google?

Add LinuxCapable as a preferred source so Google can show more of our fresh Linux tutorials in Top Stories and From your sources when relevant.

Add LinuxCapable as a preferred source on Google
Search LinuxCapable

Need another guide?

Search LinuxCapable for package installs, commands, troubleshooting, and follow-up guides related to what you just read.

Found this guide useful?

Support LinuxCapable to keep tutorials free and up to date.

Buy me a coffeeBuy me a coffee
Before commenting, please review our Comments Policy.
Formatting tips for your comment

You can use basic HTML to format your comment. Useful tags currently allowed in published comments:

You type Result
<code>command</code> command
<strong>bold</strong> bold
<em>italic</em> italic
<blockquote>quote</blockquote> quote block

Got a Question or Feedback?

We read and reply to every comment - let us know how we can help or improve this guide.

Verify before posting: