nmap exposes a dozen-plus scan techniques, each sending a different probe and reading the response in a different way. Picking the right one decides whether you get accurate results, slip past a firewall, or get logged and blocked. This reference lists every scan flag with its protocol, privilege requirement, stealth level, and the exact probe logic it uses.
Core scan types at a glance
| Flag | Name | Needs root? | Stealth | Key behaviour |
|---|---|---|---|---|
-sS | SYN (half-open) | Yes | Medium | SYN → SYN/ACK=open, RST=closed; never completes handshake |
-sT | TCP connect | No | Low | OS connect() — full handshake; logged by apps |
-sU | UDP | Yes | Medium | No reply or ICMP unreachable; very slow |
-sA | ACK | Yes | Medium | Maps firewall rules, not open ports |
-sW | Window | Yes | Medium | Like ACK; reads TCP window field to infer state |
-sF | FIN | Yes | High | Closed RSTs; open ignores; fails on Windows |
-sN | Null | Yes | High | No flags set; same logic as FIN |
-sX | Xmas | Yes | High | FIN+PSH+URG set; same logic as FIN |
-sM | Maimon | Yes | High | FIN+ACK; most systems RST regardless of state |
-sI | Idle (zombie) | Yes | Very high | Bounces probes via third party; source hidden |
-sV | Version detect | Yes | — | Adds banner grabbing on top of any scan |
-sC | Default scripts | Yes | — | Runs default NSE scripts after port discovery |
How the main scan types work
SYN scan (-sS) — the standard choice for privileged users. nmap forges a SYN packet, reads the reply, and sends an RST to abort the connection before the handshake completes. The listening application never receives the connection, so it typically does not log it. Requires raw socket access, meaning root (or CAP_NET_RAW on Linux).
Connect scan (-sT) — nmap asks the OS kernel to connect normally via connect(). No raw socket needed, so it works without root. The downside: the connection completes, so every open port is logged by the application. Also slower than SYN because the full handshake runs.
UDP scan (-sU) — UDP has no handshake, so nmap infers port state from ICMP port-unreachable replies (closed) or silence (open or filtered). Many hosts rate-limit ICMP responses, which makes this scan extremely slow. Combine with -sV to distinguish open from open|filtered by probing specific services.
FIN / Null / Xmas scans (-sF, -sN, -sX) — these send packets with unusual or absent TCP flags. RFC 793 says a closed port should RST, while an open port should ignore such packets. This means silence = open|filtered and RST = closed. Stateless firewalls that only block SYN packets pass these through. The critical limitation: Windows does not follow RFC 793 here — it RSTs all unusual packets regardless of port state, so these scans are unreliable against Windows targets.
ACK scan (-sA) — sends an ACK packet. A firewall that filters the port drops it (filtered); a stateless firewall or direct-connected host returns RST (unfiltered). This tells you about firewall rules, not whether a port has a listener. Useful for mapping which ports a firewall passes, not for service enumeration.
Idle scan (-sI) — the most evasive technique: nmap sends probes spoofed to appear from a third-party “zombie” host with predictable IP ID values. By monitoring the zombie’s IP ID counter, nmap infers whether the target port is open without the target ever seeing the real scanner’s address. Requires finding a suitable zombie and is sensitive to network conditions.
Combining flags effectively
# Privileged SYN scan with version detection and default scripts
sudo nmap -sS -sV -sC 192.168.1.1
# UDP scan of top 100 UDP ports
sudo nmap -sU --top-ports 100 192.168.1.1
# Firewall rule mapping with ACK scan
sudo nmap -sA 192.168.1.1
# Fast scan, all TCP ports, output to all formats
sudo nmap -sS -p- -T4 -oA results 192.168.1.1
Raw-packet scans silently downgrade to -sT without root — check sudo before debugging why SYN scan appears slow.
Legal note
Only scan hosts and networks you own or have explicit written authorisation to test. Unauthorised port scanning may violate computer misuse laws in many jurisdictions, even when no harm is caused or intended. Always get written permission before any scan.