nmap is one of those tools every sysadmin eventually needs. For auditing servers, mapping out a home lab, or troubleshooting a connectivity issue, knowing how to use nmap properly saves a lot of time and guesswork. Nmap stands for Network Mapper. It has been around since 1997, is open source, and runs on Linux, macOS, and Windows. On Linux it is the most capable, especially when running with root privileges. Note: Only scan networks and hosts you own or have explicit permission to scan. Unauthorized scanning may be illegal in your jurisdiction. In This Article Getting Started with Nmap Nmap is in every major distro’s package repository. Debian and Ubuntu: sudo apt install nmap Fedora and RHEL/CentOS: sudo dnf install nmap Arch and Manjaro: sudo pacman -S nmap Verify the install: nmap --version You should see output like Nmap version 7.94 or newer. Good to go. Basic Host Discovery The most common starting point is finding out what hosts are alive on a network. This is called a ping scan or host discovery scan. nmap -sn 192.168.1.0/24 The -sn flag tells nmap to skip port scanning entirely and just check which hosts respond. This is fast and quiet. On routed networks it sends ICMP echo requests, TCP SYN to port 443, TCP ACK to port 80, and ICMP timestamp requests. On a local LAN, where every example in this guide runs, nmap uses ARP discovery instead, which is faster and often finds devices that ignore normal ping. On a typical home or small office network, this completes in a few seconds and shows you every device that responded. The full behavior is documented in the official host discovery chapter . Example output: Nmap scan report for 192.168.1.1 Host is up (0.0011s latency). MAC Address: A4:3E:51:XX:XX:XX (Ubiquiti Networks) Nmap scan report for 192.168.1.10 Host is up (0.00032s latency). MAC Address: DC:A6:32:XX:XX:XX (Raspberry Pi Trading) Nmap scan report for 192.168.1.50 Host is up (0.0024s latency). Handy for a quick inventory. I run this after adding a new device when I forget which IP the DHCP server assigned. Scanning Ports Once you know what is alive, you usually want to know what services are running. Port scanning is where nmap really earns its reputation. Default scan Without any flags, nmap scans the 1,000 most common TCP ports: nmap 192.168.1.10 This requires no root privileges, though the results are less detailed than a privileged scan. SYN scan (stealth scan) The SYN scan is the default when run as root and is the most widely used scan type: sudo nmap -sS 192.168.1.10 It sends a SYN packet and waits for a response without completing the TCP handshake. This is faster than a full connect scan and less likely to appear in application logs. On a local network, the speed difference is noticeable when scanning many hosts. Scan all 65,535 ports The default 1,000 ports miss things. Services running on non-standard ports will not show up. Scan everything with: sudo nmap -sS -p- 192.168.1.10 This takes longer, but you will not miss a MySQL instance running on port 33060 or an SSH daemon someone moved to 2222. Scan specific ports sudo nmap -p 22,80,443,3306 192.168.1.10 Or a port range: sudo nmap -p 1-1024 192.168.1.10 UDP scanning UDP is often overlooked. DNS runs on UDP 53, SNMP on UDP 161, and NTP on UDP 123. These are common targets and common misconfiguration points. sudo nmap -sU -p 53,161,123 192.168.1.1 UDP scans are slower than TCP scans because closed UDP ports do not always send a response. Be patient, or limit the port range. Service and Version Detection Knowing port 22 is open is useful. Knowing it is running OpenSSH 8.9p1 is more useful. The -sV flag probes open ports to determine the service and version: sudo nmap -sV 192.168.1.10 Example output: PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0) 80/tcp open http nginx 1.24.0 3306/tcp open mysql MySQL 8.0.35 This is the first scan I run when looking at an unfamiliar server. It immediately tells me what I am dealing with. Version detection also flags outdated software, which is a quick win for security audits. You can combine version detection with intensity using --version-intensity from 0 (light) to 9 (try everything). The default is 7. Dropping it to 2 or 3 speeds things up without losing much accuracy on common services. The full set of options lives in the official nmap reference guide . OS Detection nmap can make educated guesses about the operating system based on TCP/IP stack fingerprinting: sudo nmap -O 192.168.1.10 It needs at least one open and one closed port to fingerprint accurately. Output looks like: OS details: Linux 5.15 - 5.19, Linux 6.1 Network Distance: 1 hop It is not always exact. On virtual machines or devices with custom TCP stacks the guess can be off. But it is a useful signal, especially when you are scanning a network segment and want to separate Linux servers from Windows boxes or embedded devices. Combining Options: The Aggressive Scan The -A flag enab...