What does nmap do

Content on WhatAnswers is provided "as is" for informational purposes. While we strive for accuracy, we make no guarantees. Content is AI-assisted and should not be used as professional advice.

Last updated: April 4, 2026

Quick Answer: Nmap (Network Mapper) is a free and open-source utility for network discovery and security auditing. It allows users to scan networks for live hosts, identify open ports on those hosts, and determine the operating system and service versions running on them.

Key Facts

Nmap was first released in 1997 by Gordon Lyon (Fyodor).
It supports over 1500 different service detection algorithms.
Nmap can detect over 1000 different OS types.
It can perform various types of scans, including TCP SYN, TCP connect, UDP, and more.
Nmap is widely used by network administrators for network inventory, managing service upgrade schedules, and monitoring host or service uptime.

What is Nmap?

Nmap, which stands for Network Mapper, is a powerful, free, and open-source utility designed for network exploration and security auditing. Developed by Gordon Lyon, often known by his handle "Fyodor," Nmap has become an indispensable tool for network administrators, security professionals, and even curious individuals looking to understand the intricacies of their networks.

How Does Nmap Work?

At its core, Nmap works by sending specially crafted packets to target hosts and then analyzing the responses. Based on these responses, Nmap can deduce a significant amount of information about the target network and its devices. This process is often referred to as network discovery or network reconnaissance.

Network Discovery

One of Nmap's primary functions is to discover which devices are active on a network. It can perform various host discovery techniques, such as:

Ping Scans: Sending ICMP echo requests (like a traditional ping) to see if hosts respond.
ARP Scans: On local networks, Nmap can use Address Resolution Protocol (ARP) to discover hosts.
TCP SYN/ACK Scans: Sending specific TCP packets to see if hosts reply, even if they are blocking traditional pings.

This allows administrators to create an inventory of all devices connected to their network, ensuring no unauthorized devices are present.

Port Scanning

Once Nmap identifies live hosts, its next major task is to determine which ports are open, closed, or filtered on those hosts. Ports are virtual endpoints for network communication, and open ports often indicate that a service or application is running and accessible.

Open Ports: A port is considered open if a service is actively listening for connections on that port.
Closed Ports: A port is closed if it receives a response from the target indicating that no application is listening.
Filtered Ports: A port is filtered if a network firewall, filter, or other network obstruction prevents Nmap from determining its state.

Nmap supports a wide array of port scanning techniques, including:

TCP SYN Scan (Stealth Scan): The default and most popular scan type. It sends a SYN packet and waits for a SYN/ACK (indicating open) or RST (indicating closed) without completing the TCP connection, making it less likely to be logged by the target.
TCP Connect Scan: Completes the full TCP three-way handshake. It's more reliable but more easily detected.
UDP Scan: Sends UDP packets to scan for open UDP ports. This is slower and less reliable than TCP scans.
FIN, Null, and Xmas Scans: These use unusual TCP flag combinations to probe ports, often effective against older or misconfigured firewalls.

Nmap can scan ports individually, in ranges, or all 65,535 possible ports.

Service and Version Detection

Beyond simply identifying open ports, Nmap can attempt to determine the specific service running on each open port and its version. It achieves this by sending probes tailored to common services (like HTTP, FTP, SSH) and analyzing the responses. This is crucial for security auditing, as outdated software versions may have known vulnerabilities.

Operating System Detection

Nmap can also attempt to identify the operating system of the target host. It does this by analyzing subtle differences in how different operating systems respond to various network probes. This fingerprinting technique can accurately identify the OS in many cases, helping administrators understand the software environment of their network.

Scripting Engine (NSE)

One of Nmap's most powerful features is its Nmap Scripting Engine (NSE). NSE allows users to write and share scripts (using the Lua programming language) to automate a wide variety of networking tasks. These scripts can be used for:

Advanced vulnerability detection.
More in-depth service discovery.
Exploiting certain vulnerabilities (with ethical considerations).
General network information gathering.

With thousands of available NSE scripts, Nmap's capabilities are vastly extended beyond basic scanning.

Common Use Cases for Nmap

Network Inventory: Discovering all devices on a network.
Security Auditing: Identifying open ports and vulnerable services.
Firewall Rule Testing: Verifying firewall configurations.
Network Troubleshooting: Diagnosing connectivity issues.
Performance Monitoring: Checking service availability and uptime.

Ethical Considerations

While Nmap is an incredibly useful tool, it's essential to use it responsibly and ethically. Scanning networks without explicit permission can be illegal and unethical. Always ensure you have proper authorization before scanning any network that you do not own or manage.