The Network Mapper

How to see everything connected to a network.

Nmap is a free tool that helps you find computers, phones, and servers on a network. It shows you what doors are open on those devices and what software is running behind them.

The Building Analogy

Imagine an IP address is a large office building. Nmap is a security guard. The guard walks up to the building and knocks on every single door (port) to see if anyone answers.

The Result

After knocking, the guard writes a list. The list says which doors are open, which are locked, and who answered the open doors. This is exactly what Nmap does for computer networks.

What is Nmap actually used for?

1. Finding Lost Devices

You plug a new printer into your network but don't know its address. Nmap can scan the whole network and find it for you.

2. Checking Security

You want to make sure your computer doesn't have open doors that hackers can walk through. Nmap shows you your open doors.

3. Inventory Check

A company needs a list of every computer running in their office. Nmap builds this list automatically.

How to write an Nmap command

Every command is built using three simple parts: The tool, the options (flags), and the target.

nmap -sV -p 80 192.168.1.1

nmap

This tells the computer to start the Nmap program.

-sV -p 80

The flags. These tell Nmap how to act. Here we ask it to check the version (-sV) and only check door number 80 (-p 80).

192.168.1.1

The target. This is the exact address of the computer you want to check.

The Master Key: `sudo`

You will often see commands start with sudo nmap. Why? Some of Nmap's best tricks (like silent knocking or guessing the operating system) require deep access to your computer's network card.

Typing sudo is like pulling out a master key. It tells your computer, "I am the boss, let Nmap do advanced stuff." If a scan isn't working right, you probably forgot sudo.

Finding the Building First (Ping Sweep)

Before Nmap knocks on 1,000 doors, it checks if the building is even there. If a computer is turned off, there's no point checking its doors. Nmap uses a "Ping Sweep" to shout "Is anyone awake?" to an entire network.

-sn

The "No Port Scan" flag

The -sn flag tells Nmap: "Just tell me which computers are turned on. Don't bother checking any of their doors." This is incredibly fast. You can find every device on your home Wi-Fi in less than 3 seconds.

What is a "Port"?

If an IP address is a building, a port is a specific room inside that building. A computer has 65,535 possible ports. Some rooms are used for specific jobs.

Port 80 HTTP (Websites) Used for normal, unsecure web pages.

Port 443 HTTPS (Secure Web) Used for secure, locked web pages.

Port 22 SSH (Remote Control) Used by admins to control a computer from far away.

Port 53 DNS (Address Book) Translates names like google.com into numbers.

Choosing Which Doors to Check

By default, Nmap only checks the top 1,000 most common doors to save time. But you can tell it exactly which ones you care about.

-p 80,443

A short list. Only check door 80 and door 443. Nothing else.

-p 1-100

A range. Check every single door starting from 1 up to 100.

-p-

All of them. The magic dash tells Nmap to check all 65,535 doors. This takes a long time!

The 3 Answers Nmap Can Get

When Nmap knocks on a port, it usually gets one of three answers back.

Open

The door is open, and a program is actively listening on this port. Anyone can connect to it.

Closed

Nmap knocked, and the computer said "I am here, but there is no program running on this port right now."

Filtered

Nmap knocked, but heard nothing back. A firewall (a security shield) is blocking Nmap's messages from reaching the port.

Two Ways to Talk: TCP vs UDP

Computers send messages in two main ways. Nmap needs to know which way you want to check.

TCP (The Phone Call)

Nmap Flag: -sT or -sS (Default)

TCP is like calling someone on the phone. You dial, they answer "Hello", you say "Hello back", and then you start talking. It guarantees the message arrived. Most of the internet (websites, emails) uses TCP.

UDP (The Postcard)

Nmap Flag: -sU

UDP is like throwing a postcard in a mailbox. You hope it gets there, but you never get a receipt. It's very fast, used for live video games and video calls. Scanning UDP is much slower because Nmap has to wait a long time to see if the postcard was ignored.

Scan Types: How hard should Nmap knock?

Flag: -sT

The "Connect" Scan (Loud)

Nmap walks up, knocks, waits for the door to open, steps inside, says "Hello", and then leaves. It completes a full connection. It is highly accurate, but it is very loud. The computer will write down in its logbook that you visited.

Flag: -sS

The "SYN" Scan (Quiet)

Nmap knocks. As soon as the door starts to open, Nmap runs away before stepping inside. It found out the door was open, but because it didn't complete the greeting, many computers won't write it down in their logbook. This is the default scan.

Finding out what is behind the door

Knowing a port is open is good. Knowing exactly what software is using that port is better.

-sV

The Version flag

When you use -sV, Nmap doesn't just check if the door is open. It yells into the room and asks, "What is your name and what version are you?"

Without -sV: Port 80 Open (HTTP)
With -sV: Port 80 Open (HTTP - Apache web server version 2.4.41)

Guessing the Operating System

-O

The OS flag (Capital letter O)

Every operating system (Windows, Mac, Linux) answers network messages in a slightly different way—like an accent. Nmap can listen to these "accents" and guess what operating system the target is running.

The Speedometer (Timing Templates)

Sometimes you are in a rush. Sometimes you want to go very slowly so security alarms don't go off. You can control Nmap's speed from 0 to 5 using the -T flag.

-T0 Paranoid Extremely slow. Waits 5 minutes between each knock. Good for hiding.

-T3 Normal The default speed. A good balance of speed and reliability.

-T4 Aggressive Fast and loud. Used commonly on fast, modern Wi-Fi networks.

-T5 Insane As fast as possible. So fast it might accidentally miss open doors.

Ninja Mode (Decoys)

If you don't want the target computer to know you are the one knocking, you can use decoys.

nmap -D 10.0.0.1,10.0.0.2,ME 192.168.1.50

The -D flag tells Nmap to send fake knocks from other IP addresses at the exact same time you knock. To the target's security guard, it looks like 3 different people knocked at once. They won't know which one was actually you.

The Advanced Stuff: Nmap Scripts (NSE)

Nmap has mini-programs inside it called scripts. These scripts can do complicated jobs automatically.

-sC

Runs a collection of the most safe and common scripts. It checks for obvious weak spots.

--script vuln

Tells Nmap to run specific scripts that check if the computer has known security holes (vulnerabilities).

Don't like the black screen?

If typing commands into a black terminal window feels intimidating, you can use Zenmap.

Zenmap is the official visual version of Nmap. It has buttons, drop-down menus, and even draws a cool spider-web map of all the devices on your network. It does the exact same thing as the terminal, just with a mouse.

ZENMAP

The graphical front-end for Nmap.

Reading the Results

When Nmap finishes, it prints a report. Here is how to read a basic scan report.

Terminal

$ nmap -sV 192.168.1.50

Starting Nmap 7.93 at 2026-04-14 11:30

Nmap scan report for 192.168.1.50

Host is up (0.0020s latency).

Not shown: 997 closed ports

PORT	STATE	SERVICE	VERSION
22/tcp	open	ssh	OpenSSH 8.2p1
80/tcp	open	http	Apache httpd 2.4.41
443/tcp	filtered	https

Nmap done: 1 IP address scanned in 6.42 seconds

Translation: The computer at 192.168.1.50 is turned on. It has 997 doors closed. Door 22 is open running OpenSSH. Door 80 is open running Apache. Door 443 is blocked by a firewall (filtered).

Saving Your Work

If you scan 500 computers, the results will scroll off your screen faster than you can read them. Always save your output to a file.

-oN results.txt

Normal. Saves the text exactly how it looks on your screen.

-oG results.txt

Greppable. Puts all the data into neat rows so other computer tools can search it easily.

-oA results

All Formats. The best option. Saves a Normal file, a Greppable file, and an XML file all at once.

Common Beginner Mistakes

Scanning too fast over Wi-Fi: Using -T5 over a weak Wi-Fi signal will drop packets and Nmap will tell you doors are closed when they are actually open.
Forgetting sudo: Wondering why your OS detection (-O) gave you an error? You forgot to run it as an admin.
Scanning the whole internet: Never type a random IP address you don't own. Always double-check your target address before pressing enter.

Your Quick Cheat Sheet

The Basic Scan

Just knocks on the top 1,000 most common doors.

nmap 192.168.1.1

The "Tell Me Everything" Scan

Checks versions (-sV), runs safe scripts (-sC), and guesses the OS (-O). Also called the Aggressive scan (-A).

nmap -A 192.168.1.1

The Whole Network Scan

Finds every single device turned on in a typical home or small office network.

nmap 192.168.1.0/24

Check a Specific Port

Only knocks on one single door instead of all of them (saves time).

nmap -p 443 192.168.1.1

The Golden Rule of Nmap

Never, ever scan a network or an IP address that you do not own, or do not have written permission to scan.

Using Nmap to check your own home router or your own servers is a great way to learn security. Scanning someone else's server without asking looks like a digital break-in to security teams and is illegal in many places.