How to nmap scan a network

Content on WhatAnswers is provided "as is" for informational purposes. While we strive for accuracy, we make no guarantees. Content is AI-assisted and should not be used as professional advice.

Last updated: April 4, 2026

Quick Answer: Nmap scanning a network involves using the Nmap (Network Mapper) tool to discover hosts and services on a computer network. You typically run Nmap from your command line, specifying the target IP address or range and various options to control the scan type, speed, and output format.

Key Facts

Nmap was first released in 1997 by Gordon Lyon.
It can be used for network inventory, managing service upgrade schedules, and monitoring host or service uptime.
Over 60 different scan types are available, including TCP SYN scan (default), TCP connect scan, UDP scan, and more.
Nmap scripts can automate a wide variety of networking tasks, from discovery to vulnerability detection.
The tool is available for Linux, Windows, and macOS.

Overview

Nmap, short for Network Mapper, is a free and open-source utility for network discovery and security auditing. It is a powerful tool used by network administrators and security professionals to understand which hosts are available on a network, what services (application name and version) those hosts are running, what operating systems (and OS guesses) they are using, what type of packet filters/firewalls are in use, and a dozen other characteristics. While often used for security auditing, Nmap can also be used for network inventory, managing service upgrade schedules, and monitoring host or service uptime.

Getting Started with Nmap

Before you can scan a network, you need to have Nmap installed on your system. Nmap is available for Linux, Windows, and macOS. Installation instructions can be found on the official Nmap website.

Common Nmap Scan Types

Nmap offers a wide array of scanning techniques, each with its own advantages and use cases. Here are some of the most common:

TCP SYN Scan (-sS): This is the default and most popular scan type. It's fast and stealthy because it doesn't complete the TCP connection. It sends a SYN packet and waits for a SYN/ACK (port open) or RST (port closed) response.
TCP Connect Scan (-sT): This scan completes the TCP connection, making it more reliable but also easier to detect. It's often used when SYN scans are blocked or when you don't have raw socket privileges.
UDP Scan (-sU): This scan probes UDP ports. UDP is connectionless, so scanning is slower and less reliable than TCP scanning. Nmap sends UDP packets and looks for ICMP "port unreachable" messages (port closed) or no response (port potentially open or filtered).
Ping Scan (-sn): This is a simple host discovery scan that determines which hosts are online without sending any port scan packets. It's useful for quickly identifying active machines on a network.

Basic Nmap Commands

Here are some fundamental Nmap commands to get you started:

Scanning a Single Host

To scan a single IP address:

nmap 192.168.1.1

This will perform a default TCP SYN scan on the most common ports of the target host.

Scanning a Range of IPs

You can scan a range of IP addresses:

nmap 192.168.1.1-100

This scans hosts from 192.168.1.1 through 192.168.1.100.

Scanning a Subnet

To scan an entire subnet (e.g., a Class C network):

nmap 192.168.1.0/24

Specifying Ports

You can specify which ports to scan:

nmap -p 80,443 192.168.1.1

This scans only ports 80 and 443.

nmap -p- 192.168.1.1

This scans all 65535 TCP ports.

Service and Version Detection (-sV)

To attempt to determine the service and version running on open ports:

nmap -sV 192.168.1.1

OS Detection (-O)

To attempt to determine the operating system of the target host:

nmap -O 192.168.1.1

Note: OS detection requires root/administrator privileges.

Aggressive Scan (-A)

This option enables OS detection, version detection, script scanning, and traceroute:

nmap -A 192.168.1.1

This is a more comprehensive but also more intrusive scan.

Timing and Performance (-T)

Nmap has timing templates that control the speed of your scans. They range from -T0 (paranoid) to -T5 (insane). -T4 is often a good balance for faster scans on reliable networks.

nmap -T4 192.168.1.1

Nmap Scripting Engine (NSE)

Nmap Scripting Engine (NSE) is one of Nmap's most powerful and flexible features. It uses small, specialized scripts to automate a wide variety of networking tasks—from advanced network detection and vulnerability discovery to backdoors.

To run scripts in the default category:

nmap --script default 192.168.1.1

To run a specific script:

nmap --script http-title 192.168.1.1

Saving Output

Nmap can save scan results in various formats:

Normal Output (-oN): Saves in a human-readable format.
Grepable Output (-oG): Saves in a format easy for grep to process.
XML Output (-oX): Saves in an XML format, useful for programmatic processing.
All Formats (-oA): Saves in all three formats.

nmap -oA scan_results 192.168.1.1

This command will create three files: scan_results.nmap, scan_results.gnmap, and scan_results.xml.

Ethical Considerations

It is crucial to understand that scanning networks without explicit permission is illegal and unethical. Always ensure you have authorization before performing any network scans. Unauthorized scanning can lead to legal consequences and damage your reputation.