Networks are the Wild West of the modern age. The network population is much like that of a frontier town. There's the usual local townsfolk who keep their head down and work amongst themselves, the occasional drifters who come into town and then disappear into the sunset, and there's always at least one black-hat-wearing bad guy who shows up to rob the bank, shoot up the saloon, or just cause a ruckus.

And then, there's the Sheriff. That's you.

In today's modern network, the Sheriff needs more than just a pair of spurs and a six-shooter. Today's network professional requires an eclectic mix of network analyzers, security tools, and multi-functional gadgets. Just like the Wild West, the Sheriff must always stay one step ahead of the bad guys.

Nmap is used every day by thousands of network professionals to keep their systems secure. Nmap's documentation describes itself as a "network exploration tool and security scanner," and it has excelled at these complex capabilities. Nmap tracks down the Wild West town's citizens, identifies each person, and checks them over for potential security gaps. All of these scans are configured, launched, and recorded using nmap's built-in capabilities. With nmap, the Wild West's network becomes a safer and more comfortable place to live.

Nmap is an extremely powerful tool, and one of the most popular security utilities in the open source community. It's written and maintained by "Fyodor" from his web site at The nmap web page is a highly recommended read for its wealth of great security information.

What is nmap?

As its name implies, nmap is a network mapping utility. Provide nmap with a TCP/IP address, and it will identify any open "doors" or ports that might be available on that remote TCP/IP device. The real power behind nmap is the amazing number of scanning techniques and options available! Each nmap scan can be customized to be as blatantly obvious or as invisible as possible. Some nmap scans can forge your identity to make it appear that a separate computer is scanning the network, or simulate multiple scanning decoys on the network! This document will provide an overview of all nmap scanning methods, complete with packet captures and real-world perspectives of how these scans can be best used in enterprise networks.

One powerful aspect of nmap is its ubiquity. Nmap is available on flavors of UNIX, Linux, Windows, and Apple Macintosh OS X. The source code for nmap has been ported to many other operating systems, and it is already included with many UNIX and Linux distributions. You may have nmap already installed on your computer and not even know it!

Nmap runs from the command line of the operating system. This undoubtedly causes discomfort for users who are accustomed to a graphical utility, but understanding the command-line options and syntax is essential for taking advantage of the more advanced functionality that comes from batch files and redirected text. This tutorial will provide a step-by-step approach to understanding the command line, from the simplest options to the most complex.

For those more pictorially inclined, the nmap source distribution includes a graphical front-end for X Window systems called NmapFE. As the term "front-end" suggests, you'll still need to have the nmap binary installed on your system for NmapFE to work properly. Although this tutorial emphasizes the command-line of nmap, it also includes an overview of NmapFE's functionality.

Many Microsoft Windows users may be familiar with NMapWin, an nmap front-end for Windows 2000 and Windows XP. This front-end has not been updated since 2002, and the newest features of nmap are therefore not accessible through NMapWin. Because of these limitations, NMapWin is not included as part of this document. Except for a few Windows-related network shortcomings, nmap still works admirably from the command line on Windows-based computers.

This document will detail every nmap function, display how each option affects network traffic, and show how these functions can be applied to real-world use. Protocol decodes are also included to show how nmap scans will appear when they traverse the network.