No Random Ports
When nmap performs a port scan, it automatically randomizes the destination port numbers to make the scans blend easier with the normal network traffic patterns. For example, this excerpt of a default TCP SYN scan shows a random destination TCP port distribution:
Source        Destination   Summary 
-------------------------------------------------------------------------------------- 
[192.168.0.7] [192.168.0.1] TCP: D=13713 S=40950 SYN SEQ=1553882748 LEN=0 WIN=4096
[192.168.0.7] [192.168.0.1] TCP: D=1456 S=40950 SYN SEQ=1553882748 LEN=0 WIN=1024
[192.168.0.7] [192.168.0.1] TCP: D=2564 S=40950 SYN SEQ=1553882748 LEN=0 WIN=4096
[192.168.0.7] [192.168.0.1] TCP: D=83 S=40950 SYN SEQ=1553882748 LEN=0 WIN=3072
[192.168.0.7] [192.168.0.1] TCP: D=721 S=40950 SYN SEQ=1553882748 LEN=0 WIN=1024
[192.168.0.7] [192.168.0.1] TCP: D=811 S=40950 SYN SEQ=1553882748 LEN=0 WIN=4096
[192.168.0.7] [192.168.0.1] TCP: D=364 S=40950 SYN SEQ=1553882748 LEN=0 WIN=3072
[192.168.0.7] [192.168.0.1] TCP: D=51 S=40950 SYN SEQ=1553882748 LEN=0 WIN=3072
[192.168.0.7] [192.168.0.1] TCP: D=722 S=40950 SYN SEQ=1553882748 LEN=0 WIN=4096

When using the –r option, however, the port numbers are scanned sequentially:
Source        Destination   Summary 
--------------------------------------------------------------------------------------
[192.168.0.7] [192.168.0.1] TCP: D=1 S=54036 SYN SEQ=2232636309 LEN=0 WIN=2048
[192.168.0.7] [192.168.0.1] TCP: D=2 S=54036 SYN SEQ=2232636309 LEN=0 WIN=3072
[192.168.0.7] [192.168.0.1] TCP: D=3 S=54036 SYN SEQ=2232636309 LEN=0 WIN=2048
[192.168.0.7] [192.168.0.1] TCP: D=4 S=54036 SYN SEQ=2232636309 LEN=0 WIN=1024
[192.168.0.7] [192.168.0.1] TCP: D=5 S=54036 SYN SEQ=2232636309 LEN=0 WIN=4096
[192.168.0.7] [192.168.0.1] TCP: D=6 S=54036 SYN SEQ=2232636309 LEN=0 WIN=4096
[192.168.0.7] [192.168.0.1] TCP: D=7 S=54036 SYN SEQ=2232636309 LEN=0 WIN=4096
[192.168.0.7] [192.168.0.1] TCP: D=8 S=54036 SYN SEQ=2232636309 LEN=0 WIN=4096
The –r option also "unrandomizes" the IP protocol scan (-sO).

Source Port (--source_port <portnumber>, -g <portnumber>)

During an nmap scan, the source port is often used to store counters and other information during the course of a scan. The source port doesn't often need to be defined, but the --source_port option provides a method of forcing the source port to a specified value if the need arises.

clock
Since nmap uses this source port as an information source during a scan, forcing the value to a specific number will have a detrimental performance impact on nmap's scanning efficiency.


The –g abbreviation is an alias for the more descriptive –-source_port option name.


Specify Protocol or Port Numbers (-p <port_range>)
During a scan, nmap defaults to scanning ports 1 through 1,024, as well as any other ports listed in the nmap-services support file. This can amount to thousands of ports for a default scan to a single host!

The –p option provides a method of specifying the port numbers to be probed during an nmap scan. If the scan is TCP or UDP based, the port numbers can be any range of numbers between 0 and 65,535. For IP protocol scans (-sO), the –p option refers to IP protocol numbers between 0 and 255.

Since nmap can scan for different protocol types on a single command line, there are additional arguments that can be included to specify TCP or UDP port ranges. TCP port ranges can be specified with the T: argument, and UDP ports with the U: argument. These additional specifications are only required when a UDP scan is requested (-sU) on the same scan as a TCP-based scan type. The UDP scan is the only nmap scan type that can identify UDP ports. If neither protocol type is specified, the port range will apply to both types.

Port ranges can be specified as individual numbers, or ranges of numbers, with each group of numbers separated by commas. For example,
# nmap –sS 192.168.0.1 –p 23,80,111-124,155-
will perform a TCP SYN scan of IP address 192.168.0.1 on TCP ports 23, 80, 111 through 124, and all TCP ports between 155 and 65,535.

clock
The nmap man page is slightly incorrect when it states that a specification of 60000- would scan all ports greater than 60,000, since port 60,000 would also be included as part of the scan.


If duplicate port numbers are listed on the command line, nmap will question the user's caffeine intake:
WARNING:  Duplicate port number(s) specified.  Are you alert enough to
be using Nmap?  Have some coffee or Jolt(tm).

Fast Scan Mode (-F)
The "fast scan" nmap option doesn't have the most accurate name, since this scan mode doesn't actually change any of the nmap packet timing policies. Instead, this fast scan mode (-F) limits nmap scans to the ports found in the nmap-services file. If the nmap is performing an IP protocol scan (-sO), the fast scan mode scans only the IP protocol types listed in the nmap-protocols support file.

When used with a customized nmap-services or nmap-protocols support file, this fast scan mode can be an easy method of scanning specific port numbers without using the port specification option (-p).