Debug Mode (--debug, -d)
Nmap's debug mode displays extensive internal nmap information, and the amount of detail depends on the debug level selected on the nmap command line. There are five debug levels ranging from zero through four. Although it's possible to request a debug level higher than 4, there doesn't appear to be anything in the source code to support additional debugging output.

The --debug output is displayed on stdout, but will not be saved into any of nmap's output files (i.e., -oA). If the debug information is important, the nmap stdout output should be piped to a file from the nmap command line.


Increasing the debug levels will increase the amount of information in the nmap output. For example, if the debug option level is greater than two, the --packet_trace option will be enabled automatically.

The --debug syntax is different than what's used for the verbose (--verbose) option. The following nmap command lines all specify a debug level of two:
# nmap 192.168.0.1 --debug --debug
# nmap 192.168.0.1 -d -d
# nmap 192.168.0.1 -d --debug
clock
Unlike the --verbose option, the syntax of -dd is not valid and will not register any debug levels during the nmap scan. This will not give an error, however, and the nmap scan will continue to run normally without providing any debug output.


Increasing the debug level by one will also increase the verbosity level by one. If a verbosity level has already been set, it will be incremented again if the --debug option is also included on the nmap command line. For example, the following nmap command line runs with a verbosity level of three and a debugging level of two:
# nmap 192.168.0.1 –d –debug –v
This output shows an nmap SYN scan without any debug level:
# ./nmap -sS -oA debug_sS_off 192.168.0.1

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-05-25 23:26 EDT
Interesting ports on 192.168.0.1:
(The 1662 ports scanned but not shown below are in state: closed)
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:09:5B:D4:BB:FE (Netgear)

Nmap finished: 1 IP address (1 host up) scanned in 1.988 seconds
#
If the debug command is enabled, additional information is displayed. This output shows a debug level one output from the same SYN scan command:
# ./nmap -sS --debug -oA debug_sS 192.168.0.1 

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-05-25 23:25 EDT
Packet capture filter (device eth0): (icmp and dst host 192.168.0.7) or ((tcp or udp) and dst host 192.168.0.7 and ( dst port 45024 or dst port 45025 or dst port 45026 or dst port 45027 or dst port 45028))
We got a ping packet back from 192.168.0.1: id = 45708 seq = 33180 checksum = 52182
Hostupdate called for machine 192.168.0.1 state UNKNOWN/COMBO -> HOST_UP (trynum 0, dotimeadj: yes time: 821)
Finished block: srtt: 778 rttvar: 5000 timeout: 100000 block_tries: 1 up_this_block: 1 down_this_block: 0 group_sz: 1
massping done:  num_hosts: 1  num_responses: 1
Initiating SYN Stealth Scan against 192.168.0.1 [1663 ports] at 23:25
Packet capture filter (device eth0): dst host 192.168.0.7 and (icmp or (tcp and (src host 192.168.0.1)))
Discovered open port 80/tcp on 192.168.0.1
The SYN Stealth Scan took 1.07s to scan 1663 total ports.
Host 192.168.0.1 appears to be up ... good.
Interesting ports on 192.168.0.1:
(The 1662 ports scanned but not shown below are in state: closed)
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:09:5B:D4:BB:FE (Netgear)
Final times for host: srtt: 21760 rttvar: 4482  to: 100000

Nmap finished: 1 IP address (1 host up) scanned in 1.867 seconds
               Raw packets sent: 1665 (66.6KB) | Rcvd: 1664 (76.5KB)
#
As this output shows, extensive internal nmap operations are detailed during the scan. These internal processes are useful for development purposes, but the output is rarely useful for normal host and network scanning operations.