The Null Scan (-sN)
The null scan turns off all flags, creating a lack of TCP flags that should never occur in the real world.

If the port is closed, a RST frame should be returned:

Source          Destination     Summary 
[]  []  TCP: D=438 S=36860     WIN=4096
[]  []  TCP: D=36860 S=438 RST ACK=2135565682 WIN=0
As expected, the response of a null scan to an open port results in no response:

Source          Destination     Summary 
[]  []  TCP: D=110 S=36860     WIN=1024
The null scan showed the same results as the FIN scan and the Xmas tree scan:
# nmap -sN -v

Starting nmap 3.81 ( ) at 2005-04-23 21:19 EDT
Initiating NULL Scan against [1663 ports] at 21:19
The NULL Scan took 1.42s to scan 1663 total ports.
Host appears to be up ... good.
Interesting ports on
(The 1654 ports scanned but not shown below are in state: closed)
21/tcp   open|filtered ftp
22/tcp   open|filtered ssh
23/tcp   open|filtered telnet
79/tcp   open|filtered finger
110/tcp  open|filtered pop3
111/tcp  open|filtered rpcbind
514/tcp  open|filtered shell
886/tcp  open|filtered unknown
2049/tcp open|filtered nfs
MAC Address: 00:03:47:6D:28:D7 (Intel)

Nmap finished: 1 IP address (1 host up) scanned in 2.251 seconds
               Raw packets sent: 1674 (66.9KB) | Rcvd: 1655 (76.1KB)