The Nmap Scanning Process

Nmap performs four steps during a normal device scan. Some of these steps can be modified or disabled using options on the nmap command line.

  1. If a hostname is used as a remote device specification, nmap will perform a DNS lookup prior to the scan. This isn't really an nmap function, but it's useful to mention since this DNS traffic will appear as network traffic and the query will eventually be noted in the DNS logs. If an IP address is used to specify the remote device, this step never occurs. There's no way to disable a DNS lookup when a hostname is specified, unless the hostname and IP address is found in a locally maintained name resolution file such as hosts or lmhosts.


  2. Nmap pings the remote device. This refers to the nmap "ping" process, not (necessarily) a traditional ICMP echo request. Chapter 3 contains more information on nmap's plethora of ping options. This ping process can be disabled with the –P0 option.


  3. If an IP address is specified as the remote device, nmap will perform a reverse DNS lookup in an effort to identify a name that might be associated with the IP address. This is the opposite process of what happens in step 1, where an IP address is found from a hostname specification.


  4. This process may seem redundant if a DNS lookup is done on step one, but often the results of a name-to-IP-address are different that the results of an IP-address-to-name. Often, the name we use to identify hosts is an alias of the actual host name. For example, if www.microsoft.com is used as a hostname on the nmap command line, the DNS lookup in step one may resolve the IP address as 207.46.19.30. However, a reverse DNS of that IP address in step three might show that address belongs to www.microsoft.com.nsatc.net, a third-party hosting provider for Microsoft.

    If this reverse lookup process isn't required or desired, it can be disabled with the –n option.

  5. Nmap executes the scan. Once the scan is over, this four-step process is completed.

  6. Except for the actual scan process in step four, each of these steps can be disabled or prevented using different IP addressing or nmap options. The nmap process can be as "quiet" or as "loud" as necessary!

    If the scan is interrupted (with CTRL-C), an "interrupt" process performs a cleanup to close any log files and halt nmap. If the scan is resumed (with the --resume option), nmap uses the log file information to begin scanning from the previous location. A normal (-oN) or grepable log file (-oG) option must be specified to resume the scanning process.