17 Basic Nmap Network Commands

Try this guide with our instant dedicated server for as low as 40 Euros

nmap commands

Nmap, short for Network Mapper, is an open-source tool for network discovery and security audits. 

This is such a useful utility that it has been ported to most Linux distributions, WIndows and macOS. The main reason behind this popularity is the diverse range of Nmap commands that are used in managing and securing their networks. 

In this comprehensive tutorial, we will guide you on the basics of using Nmap commands in Linux. We will highlight the full capability of this utility by going into the details of 17 Nmap application scenarios. As you will see, these scenarios will range from simple host detection to more complex functions like port scanning and OS detection. 

Let’s start with an overview of the Nmap command.

Table Of Contents

  1. An Overview of Nmap
  2. 17 Scenarios of Applying Nmap
    1. Scenario #1: Detect Open Ports
    2. Scenario #2: Scan Multiple Hosts
    3. Scenario #3: Exclude Hosts From Scans
    4. Scenario #4: Determine Operating System Details
    5. Scenario #5: Identify Firewall Configurations
    6. Scenario #6: Identify Service Versions
    7. Scenario #7: Search for Open Ports
    8. Scenario #8: Perform a Stealth Scan
    9. Scenario #9: Discover Hostnames
    10. Scenario #10: Use a File to Initiate Scans
    11. Scenario #11: Obtain Detailed Information in the Verbose Mode
    12. Scenario #12: Scan IPv6 Addresses
    13. Scenario #13: Identify Active Servers
    14. Scenario #14: Discover Host Interfaces, Routes, and Packet Details
    15. Scenario #15: Employ Quick Scans
    16. Scenario #16: Take Some Help
    17. Scenario #17: Create Decoys
  3. Conclusion
  4. FAQs

An Overview of Nmap

Nmap, or Network Mapper, is a powerful tool used in several popular OS for network discovery and security auditing processes. It allows administrators to scan network infrastructures to identify the devices running on the network, discover open ports, manage service upgrade schedules, monitor host or service uptime, and detect security risks. 

Nmap is used in the following scenarios:

  • Finding real-time information on a network
  • Detailed information on all the IPs addresses on your network
  • Number and types of open ports in a network
  • List of live hosts on the network
  • Port, OS, and host scanning

17 Scenarios of Applying Nmap 

The best way of understanding the capabilities of Nmap is to see its application in real-world scenarios. 

Let’s discuss some of these scenarios.

Scenario #1: Detect Open Ports

The Nmap command in Linux can utilize server names, IPv4 addresses, and IPv6 addresses when executing network scans. A simple execution of Nmap generates data on specified hosts. For this, run the following command:

# nmap subdomain.server.com

In its basic form without any additional options, this command identifies open services and ports on the target host.

Run this command to detect open services and ports using an IP address as the target.

# nmap IP Address

Similarly, you can opt for the Fast Scan option to detect open ports on the system. FOr this, run the following command: 

# nmap -F IP Address

Here, the -F option employs a faster scan focusing on commonly used ports listed in the nmap-services file. Though this option is significantly faster than a regular Nmap scan, the results are often less comprehensive.

Scenario #2: Scan Multiple Hosts

In addition to working with single hosts, the Nmap command in Linux is versatile enough to scan multiple locations simultaneously. This approach proves beneficial when you have larger network infrastructures. 

Nmap offers several options to scan multiple locations at once. We will discuss a couple of common options.

Scan Multiple Hosts Concurrently 

Run the following command and list multiple domains or IP addresses separated by spaces:

# nmap IP address1 IP address2 IP address3

Scan A Subnet

We recommend using the * wildcard option to scan an entire subnet in a single command. The command in this case will be as follows:

# nmap IP Address*

Using * as the last octet allows scanning all hosts within that subnet.

To scan adjacent IP addresses within the same subnet, separate the last octet with commas to avoid redundancy. You can run this command to accomplish this objective:

# nmap IP Address1,2,3

Alternatively, we recommend using a hyphen to specify a range of IP addresses:

# nmap IP Address1-4

Another great application of this idea is to specify a starting and ending IP address with a hyphen. This command scans all addresses within that range.

Scenario #3: Exclude Hosts From Scans

When conducting a network scan, you might need to scan a large group, such as an entire subnet. However, you may wish to exclude specific segments due to irrelevance or sensitivity of the contents hosted on the node.

Exclude a Specific Host

Run the following command to exclude a specific host from the scan: 

# nmap IP Address1* --exclude IP Address 1

Here, the –exclude option omits individual hosts directly in the Nmap scan.

Exclude Multiple Hosts

Similarly, you can exclude multiple hosts from a scan with the following command:

# nmap IP Address* --excludefile /file.txt

Here, the — exclude option refers to a file containing the list of IPs to be excluded. This method efficiently manages exclusions, particularly for larger scans. 

Scenario #4: Determine Operating System Details

In addition to general network scanning, the Nmap command in Linux can perform detailed analysis, such as operating system detection, script scanning, traceroute, and version detection. 

While Nmap strives to identify operating systems and their versions accurately, the results are not always guaranteed to be precise.

Start by getting the operating system details of the mapped hosts with this command:

# nmap -A IP Address

Here, the -A flag performs an aggressive scan that includes OS detection.

This flag can be combined with other Nmap commands for more comprehensive scanning.

Note: Use the -A flag cautiously as it can take a lot of time to generate the required results. 

You can drill down on the operating system detection by adding the -O flag to the command:

# nmap -O IP Address

Here, the -O flag enables OS detection using TCP/IP stack fingerprinting.

In addition, you can also use -osscan-limit to direct Nmap to target hosts with OS fingerprints. Though -osscan-guess takes more aggressive OS detection, it produces less reliable results.

Remember that these methods rely on recognizable signatures. Newer or customized operating systems may not have a readily identifiable fingerprint, leading to inconclusive results.

Scenario #5: Identify Firewall Configurations

Detecting firewall settings is essential for penetration testing and conducting vulnerability assessments. Nmap offers several options, with the -sA flag being particularly effective for examining firewall configurations on targeted hosts.

The command in this scenario will be as follows: 

# nmap -sA

Employing the -sA flag instructs Nmap to perform an ACK scan. This technique sends ACK packets to various ports and analyzes the responses to identify potential filtering rules implemented by a firewall.

Scenario #6: Identify Service Versions

At times, you need to uncover service and version details from open ports. Here, Nmap plays a crucial role in identifying service versions to troubleshoot, scan vulnerabilities, or identify services requiring updates.

The command in this context will be as follows:

# nmap -sV

This command retrieves detailed information about the services running on a specified host.

For a more comprehensive scan, you can adjust the depth of the version detection scan using the –version-intensity option, ranging from 0 (lightest) to 9 (most thorough). 

In addition, if the initial results are unclear or incomplete, use the –version-trace option to obtain more detailed output.

Scenario #7: Search for Open Ports

Port scanning is a fundamental Nmap feature. You can expand this core capability by adding several flags to the command that customize the process and output of scans. 

For instance, consider the following command that uses the -p flag followed by the port number to scan a specific port on a host:

# nmap -p 443

Similarly, you can scan for specific protocols, such as TCP or UDP by preceding the port number with T: (for TCP) or U: (for UDP).

# nmap -p T:8888,443

You can scan multiple ports at once by adding the list, separated by commas:

# nmap -p 80,443

You can extend this idea and scan multiple ports within a range by adding a hyphen:

# nmap -p 80-443

In some cases , you need to scan the ports in sequence rather than in a random order. For this, use the -r flag in the following command syntax:

# nmap -p 22,80,443 -r

For scanning the most common ports, use the –top-ports flag followed by the desired number of top ports you need to check:

# nmap --top-ports 10

Scenario #8: Perform a Stealth Scan

If you need to conduct a discreet network scan, employ the following Nmap command in Linux:

# nmap -sS

The -sS flag instructs Nmap to perform a TCP SYN scan. This flag can be combined with other Nmap command options. Although this method is less conspicuous, it tends to be slower and less aggressive than other scanning techniques.

Scenario #9: Discover Hostnames

Nmap offers several methods for host discovery through one of the most commonly used options, -sL. The command in this context will be as follows: 

# nmap -sL

The -sL flag conducts DNS queries to determine hostnames for the specified host. 

You can extend the capabilities of the command by adding additional flags. 

For instance, you can use the -n option to bypass DNS resolution altogether

The -R flag forces Nmap to perform DNS resolution even if the hostname can be resolved from the local host file. 

The -Pn flag assumes all hosts are online without conducting a host discovery scan. 

This approach treats all specified hosts as if they are active and is helpful if you already know the target hosts are active. 

Scenario #10: Use a File to Initiate Scans

Nmap offers significant operational flexibility by allowing to specify target hosts using a file.

For this, we recommend the -iL flag followed by the path to the file to instruct Nmap to read the list of targets from the file.

You can extend this process by directly importing a file via the command line with this command:

# nmap -iL /file.txt

This command initiates a scan of the IP addresses listed in the specified file. You can enhance this scan by combining it with additional commands and flags, making it a practical option for regularly scanning a predefined group of hosts.

Scenario #11: Obtain Detailed Information in the Verbose Mode

Verbose output can provide extensive details about a command’s execution Usually, you don’t need this much information during routine situations. However, the mode becomes invaluable when debugging complex issues or when you require more comprehensive information. 

Run the following command to obtain detailed information utilizing verbose mode:

# nmap -v

Here, the -v flag increases the verbosity of the output, revealing more about the scan’s process and results. You can add this flag to most Nmap commands to enhance the details you can see in the terminal. Without the -v flag, Nmap typically delivers only the essential information items.

Scenario #12: Scan IPv6 Addresses

As IPv6 becomes increasingly prevalent, Nmap provides robust support for scanning these addresses, much like it does for domains and traditional IPv4 addresses. 

However, to scan IPv6 addresses, you must add a specific flag to specify to Nmap that you need it to scan IPv6 addresses.

Run this command to scan for the IPv6 addresses on a network: 

# nmap -6 ::ffff:c0a8:1

Here, -6 flag indicates to Nmap to interpret the following target addresses as IPv6 addresses. This is necessary as Nmap can’t automatically differentiate between IPv4 and IPv6 addresses by default.

::ffff: prefix indicates that the following address is an IPv4-mapped IPv6 address.

c0a8:1: This part represents the standard IPv4 address notation.

Scenario #13: Identify Active Servers

One of Nmap’s fundamental features is its ability to ping and identify active machines on a network. 

You can use the -sP flag to locate machines that are active on the network. Similarly, you can use this flag to detect unexpected hosts within a network segment.

Run the following command to identify active servers:

# nmap -sP

This command scans the specified network range and provides a list of active and responsive servers.

Scenario #14: Discover Host Interfaces, Routes, and Packet Details

Nmap provides multiple options beyond basic scanning. For instance, you can use it for network troubleshooting by offering detailed information about network interfaces, routes, and packet transmission/reception.

For instance, consider the following command that obtains information regarding host interfaces, interface printing, and routes:

# nmap --iflist

This command generates a comprehensive list of network interfaces and routes.

Another common requirement is displaying a detailed trace of the packets sent and received during the scan. You can get these details with this command:

# nmap --packet-trace

In this command, the –packet-trace option facilitates the visualization of packets transmitted and received. This information is crucial in debugging network issues.

Scenario #15: Employ Quick Scans

At times, you may need to carry out a quick scan of the network. 

Nmap offers five scan modes that progressively sacrifice accuracy for speed. These modes start from T0 and go all the way to T5. As you can guess, the modes become progressively aggressive and send out an increasing number of requests.

T0 to T3 are suitable for all types of networks. However, T4 and T5 are only a good fit for extremely fast networks. 

For instance, you can run a super-aggressive scan with increased speed with the following command:

# nmap -T5

Here, the -T5 option instructs Nmap to use the Insane timing template. This employs a highly aggressive approach with numerous parallel connections and short timeouts.

Scenario #16: Take Some Help

Nmap has an extensive lineup of features and options. As a user, you often require clarification or guidance about how to use these options in Nmap commands.

You can get context-specific information by running this command:

# nmap -h

This command displays a help screen encompassing Nmap commands and provides insights into available flags.

Scenario #17: Create Decoys

Decoys are IP addresses included in a scan that Nmap uses to conceal the source of the scan. Nmap facilitates the creation of decoys to deceive firewalls and bypass the rules. 

Decoys are commonly employed for debugging purposes. However, note that decoys can be misused by attackers. Run the following command to create a decoy:

# nmap -D,,...

Here, the -D flag instructs Nmap to use the following comma-separated list of IP addresses as decoys.

By utilizing the -D command followed by a list of decoy addresses, it’s possible to blur the origin of the scan by including these decoy addresses, making it appear that multiple entities are scanning the network simultaneously.

In addition, commands like –spoof-mac and -S can spoof Media Access Control (MAC) and source addresses, respectively.


Mastering Nmap commands in Linux is crucial for anyone involved in network security and administration. The Nmap command in Linux provides a versatile toolkit for network scanning, enabling users to discover devices, services, and vulnerabilities within network infrastructures. From basic to advanced scans, Nmap offers a range of options that can be tailored to meet specific security assessments and monitoring needs. 

As you grow more proficient with these commands, you will enhance your ability to secure and manage networks effectively, making Nmap an indispensable tool in your cybersecurity arsenal.


Q. What is Nmap?

Nmap is a powerful network scanner used by network administrators to discover hosts and services on a computer network, thus creating a network structure map.

Q. How does Nmap facilitate network scanning?

Nmap provides a command-line interface (CLI) and a graphical user interface (GUI), empowering users to execute simple commands or complex scripts to scan the entire network efficiently.

Q. What are some basic functionalities of Nmap commands?

Nmap commands enable network administrators to conduct various types of scans, including ping scans, host scanning, and TCP connection scans. These scans allow for exploring closed ports, remote hosts, and IP ranges.

Q. What is a ping scan, and how does Nmap utilize it?

A ping scan involves sending IP-based ping packets to remote machines to determine their availability on the network. Nmap employs this technique to identify active hosts quickly.

Q. How does Nmap handle closed ports during scanning?

During network scanning, Nmap can detect closed ports on remote hosts, providing valuable insights into the network’s security posture and potential vulnerabilities.

Q. Can Nmap perform network mapping?

Nmap excels in network mapping by conducting comprehensive scans, employing techniques such as reverse DNS resolution and packet generation to map the network’s topology and identify active services.

Q. What role does the scripting engine play in Nmap?

Nmap‘s scripting engine allows network administrators to automate tasks, customize scans, and perform advanced network reconnaissance, enhancing efficiency and flexibility in network scanning.

Q. How does Nmap handle IP ranges and types of ports during scanning?

Nmap supports scanning IP ranges and can identify various types of ports, including TCP ports, enabling thorough exploration of the network’s infrastructure and services.

Q. What are the benefits of using Nmap as a network scanner?

Nmap allows network administrators to analyze network traffic, identify vulnerabilities, and assess security risks comprehensively, making it an indispensable tool for network management and security.

Try this guide with our instant dedicated server for as low as 40 Euros