nmap (Network Mapper) is the industry-standard open-source tool for network discovery and security auditing. Network engineers use it to identify live hosts on a subnet, enumerate open ports and running services, detect operating systems, and map network topology. Whether you are performing a quick ping sweep, auditing firewall rules, or inventorying devices across a VLAN, nmap is the go-to tool. Use the command builder below to construct scans without memorizing flags, or browse the reference section for the most common scan types.

nmap's default port scan is the SYN scan (-sS) — sometimes called a "half-open" or "stealth" scan. It sends a SYN, waits for the SYN-ACK, then resets the connection without ever completing the handshake. Fast, doesn't appear in the target's application logs, and accurate. Catch: it requires root/admin to send raw packets. Without privileges, nmap falls back to the Connect scan (-sT), which uses the OS TCP stack to complete the handshake. Connect scans don't need root but are louder — every connection ends up in the target service's logs.

Quick reference for the rest: -sU UDP (slow because UDP often can't distinguish open from filtered — many UDP services don't reply at all to malformed packets, so nmap has to wait for a timeout per port), -sn ping sweep (host discovery only, no port scan), -sV version detection (probes open ports to identify the exact service and version), -O OS fingerprinting (sends a battery of crafted packets and matches the responses against a fingerprint database), -A aggressive (combines -sV, -O, default NSE scripts, and traceroute — the "give me everything" button).

Timing templates (-T0 through -T5) tune how aggressively nmap parallelizes and how long it waits between probes. -T0 paranoid is for IDS evasion (one probe every 5 minutes — used in red-team work, never in normal ops). -T3 is the default and works well for LAN scanning. -T4 is common for "I'm in a hurry on a fast network" but can drop accuracy on flaky links and trip rate-limiting on small devices. -T5 insane sacrifices accuracy for speed and is rarely the right answer. For WAN-side scanning of someone else's infrastructure, stay at -T3 or below — going faster annoys upstream IDS systems and produces noisy support tickets.

Legal note: only scan networks you own or have explicit written permission to scan. Unauthorized port scanning is, in many jurisdictions, a criminal offense — not a hypothetical one. If you're scanning a customer's network, get authorization in writing before you start. If you need to test the public face of your own infrastructure from outside, use a cloud VM you own and document what you're doing. Default nmap scans are quiet by network-tool standards but are still trivial for any modern firewall or SOC tooling to detect.