Home page logo
/
Zenmap screenshot
Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
Example Nmap output

Nmap Network Scanning

Port Selection Data and Strategies

Port scanning can be the most time consuming portion of an Nmap scan, even when the scan includes version detection or NSE scripts. Port scan time is roughly proportional to the number of ports scanned, so reducing the number of ports provides a significant performance boost. The down side is that reduced scans are less comprehensive, so you might miss open ports.

The reality is that there are 65,536 ports in each protocol, and most of them are almost never open. I spent a summer conducting large-scale scans to determine the prevalence of each TCP and UDP port. The results include data from scanning tens of millions of Internet IP addresses as well as enterprise networks scanned from within. This section provides empirical results you can rely on to strike the right balance between speed and effectiveness in your scans.

While more than a hundred thousand (total) TCP and UDP ports exist, the vast majority of open ports fall within a much smaller set. According to our research, the top 10 TCP ports and top 1,075 UDP ports represent half of the open ports for their protocol. To catch 90% of the open ports, you need to scan 576 TCP ports and 11,307 UDP ports. By default, Nmap scans the top 1,000 ports for each scan protocol requested. This catches roughly 93% of the TCP ports and 49% of the UDP ports. With the -F (fast) option, only the top 100 ports are scanned, providing 78% TCP effectiveness and 39% for UDP. To specify a different number of ports, specify that value to the --top-ports option. Table 6.1 provides an approximation of the number of TCP or UDP ports you must scan to reach a given effectiveness rate for that protocol.

Table 6.1. Required --top-ports values for reaching various effectiveness levels

EffectivenessTCP ports requiredUDP ports required
10%15
20%212
30%427
40%6135
50%101,075
60%182,618
70%445,157
80%1227,981
85%2369,623
90%57611,307
95%1,55813,035
99%3,32815,094
100%65,53665,536

While Nmap can handle port selection for you automatically (when you rely on defaults or use options such as -F or --top-ports), specifying ports explicitly with -p is often useful. In either case, familiarity with the most commonly seen open ports is important. The top ports according to our data are described in the section called “What Are the Most Popular Ports?”.

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]