UDP Scan (-sU)
Requires Privileged Access: YES
Identifies TCP Ports: NO
Identifies UDP Ports: YES

UDP has no need for SYNs, FINs, or any other fancy handshaking. With the UDP protocol, packets are sent and received without warning and prior notice is not usually expected. This lack of a formal communications process greatly simplifies UDP scanning!

UDP Scan Operation

A station that responds with an ICMP port unreachable is clearly advertising a closed port:

Source          Destination     Summary 
[]  [] UDP: D=971 S=43347 LEN=8
[] []  ICMP: Destination unreachable (Port unreachable)
A station that doesn't respond to the UDP scan is considered to be open|filtered:

Source          Destination     Summary 
[] [] UDP: D=80 S=43347 LEN=8
A station that responds with UDP data is indicative of an open port.

Source          Destination     Summary 
[]  [] UDP: D=2001 S=43347 LEN=8
[] []  UDP: D=43347 S=2001 LEN=40
The nmap output shows the results of the UDP scan:
# nmap -sU -v

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-04-11 12:44 EDT
Initiating UDP Scan against [1478 ports] at 12:44
Discovered open port 2001/udp on
The UDP Scan took 1.47s to scan 1478 total ports.
Host appears to be up ... good.
Interesting ports on
(The 1468 ports scanned but not shown below are in state: closed)
123/udp  open|filtered ntp
137/udp  open|filtered netbios-ns
138/udp  open|filtered netbios-dgm
445/udp  open|filtered microsoft-ds
500/udp  open|filtered isakmp
1031/udp open|filtered iad2
1032/udp open|filtered iad3
1900/udp open|filtered UPnP
2001/udp open          wizard
4500/udp open|filtered sae-urn
MAC Address: 00:30:48:11:AB:5A (Supermicro Computer)

Nmap finished: 1 IP address (1 host up) scanned in 2.241 seconds
               Raw packets sent: 1489 (41.7KB) | Rcvd: 1470 (82.3KB)

Advantages of the UDP Scan
Since there's no overhead of a TCP handshake, the UDP scan is inherently less "chatty" once it finds an open port. However, if ICMP is responding to each unavailable port, the number of total frames can exceed a TCP scan by about 30%!

Microsoft-based operating systems do not usually implement any type of ICMP rate limiting, so this scan operates very efficiently on Windows-based devices.

Disadvantages of the UDP Scan
The UDP scan only provides port information only. If additional version information is needed, the scan must be supplemented with a version detection scan (-sV) or the operating system fingerprinting option (-O).

The UDP scan requires privileged access, so this scan option is only available on systems with the appropriate user permissions.

RFC 1812 provides recommendations for limiting the rate of ICMP messages from a single device. The implementation of the rate limiting is not specifically defined, but the RFC suggests methods that would send ICMP messages relative to the number of received frames, ICMP messages every T milliseconds, or ICMP messages relative to the available bandwidth. If a device has implemented ICMP rate limits, nmap will automatically slow the scan rate to match the ICMP rates.

When to use the UDP Scan Because of the huge amount of TCP traffic on most networks, the usefulness of the UDP scan is often incorrectly discounted. There are numerous examples of open UDP ports caused by spyware applications, Trojan horses, and other malicious software. The UDP scan will locate these open ports and provide the security manager with valuable information that can be used to identify and contain these infestations.