Home page logo
Zenmap screenshot
Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
Example Nmap output

Nmap Network Scanning

TCP Mode

-p <port_spec>, --dest-port <port_spec> (Target ports)

This option specifies which destination ports you want to send probes to. It can be a single port, a comma-separated list of ports (e.g. 80,443,8080), a range (e.g. 1-1023), and any combination of those (e.g. 21-25,80,443,1024-2048). The beginning and/or end values of a range may be omitted, causing Nping to use 1 and 65535, respectively. So you can specify -p- to target ports from 1 through 65535. Using port zero is allowed if you specify it explicitly.

-g <portnumber>, --source-port <portnumber> (Spoof source port)

This option asks Nping to use the specified port as source port for the TCP connections. Note that this might not work on all systems or may require root privileges. Specified value must be an integer in the range [0–65535].

--seq <seqnumber> (Sequence Number)

Specifies the TCP sequence number. In SYN packets this is the initial sequence number (ISN). In a normal transmission this corresponds to the sequence number of the first byte of data in the segment. <seqnumber> must be a number in the range [0–4294967295].

--flags <flags> (TCP Flags)

This option specifies which flags should be set in the TCP packet. <flags> may be specified in three different ways:

  1. As a comma-separated list of flags, e.g. --flags syn,ack,rst

  2. As a list of one-character flag initials, e.g. --flags SAR tells Nping to set flags SYN, ACK, and RST.

  3. As an 8-bit hexadecimal number, where the supplied number is the exact value that will be placed in the flags field of the TCP header. The number should start with the prefix 0x and should be in the range [0x00–0xFF], e.g. --flags 0x20 sets the URG flag as 0x20 corresponds to binary 00100000 and the URG flag is represented by the third bit.

There are 8 possible flags to set: CWR, ECN, URG, ACK, PSH, RST, SYN, and FIN. The special value ALL means to set all flags. NONE means to set no flags. It is important that if you don't want any flag to be set, you request it explicitly because in some cases the SYN flag may be set by default. Here is a brief description of the meaning of each flag:

CWR (Congestion Window Reduced)

Set by an ECN-Capable sender when it reduces its congestion window (due to a retransmit timeout, a fast retransmit or in response to an ECN notification.

ECN (Explicit Congestion Notification)

During the three-way handshake it indicates that sender is capable of performing explicit congestion notification. Normally it means that a packet with the IP Congestion Experienced flag set was received during normal transmission. See RFC 3168 for more information.

URG (Urgent)

Segment is urgent and the urgent pointer field carries valid information.

ACK (Acknowledgement)

The segment carries an acknowledgement and the value of the acknowledgement number field is valid and contains the next sequence number that is expected from the receiver.

PSH (Push)

The data in this segment should be immediately pushed to the application layer on arrival.

RST (Reset)

There was some problem and the sender wants to abort the connection.

SYN (Synchronize)

The segment is a request to synchronize sequence numbers and establish a connection. The sequence number field contains the sender's initial sequence number.

FIN (Finish)

The sender wants to close the connection.

--win <size> (Window Size)

Specifies the TCP window size, this is, the number of octets the sender of the segment is willing to accept from the receiver at one time. This is usually the size of the reception buffer that the OS allocates for a given connection. <size> must be a number in the range [0–65535].

--badsum (Invalid Checksum)

Asks Nping to use an invalid TCP checksum for the packets sent to target hosts. Since virtually all host IP stacks properly drop these packets, any responses received are likely coming from a firewall or an IDS that didn't bother to verify the checksum. For more details on this technique, see https://nmap.org/p60-12.html.

[ Nmap | Npcap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]