This option specifies which ports you want to scan and
overrides the default. Individual port numbers are OK, as
are ranges separated by a hyphen (e.g.
beginning and/or end values of a range may be omitted,
causing Nmap to use 1 and 65535, respectively. So you can
-p- to scan ports from 1 through
is allowed if you specify it
explicitly. For IP protocol scanning (
-sO), this option
specifies the protocol numbers you wish to scan for
When scanning a combination of protocols (e.g. TCP and UDP), you can
specify a particular protocol by preceding the port numbers by
T: for TCP,
U: for UDP,
S: for SCTP, or
P: for IP Protocol.
The qualifier lasts until you specify another
qualifier. For example, the argument
U:53,111,137,T:21-25,80,139,8080 would scan UDP
ports 53, 111,and 137, as well as the listed TCP ports. Note
that to scan both UDP and TCP, you have to specify
-sU and at least one TCP scan type (such as
-sT). If no protocol qualifier is given,
the port numbers are added to all protocol lists.
Ports can also be specified by name according to what the
port is referred to in the
can even use the wildcards
? with the names. For example, to scan
FTP and all ports whose names begin with “http”, use
Be careful about shell expansions and quote the argument to
-p if unsure.
Ranges of ports can be surrounded by square brackets to indicate
ports inside that range that appear in
For example, the following will scan all ports in
equal to or below 1024:
-p [-1024]. Be careful with shell
expansions and quote the argument to
-p if unsure.