A variable may be assigned to by a statement of the form

       name=[value]

If value is not given, the variable is assigned the null string.  All  values  undergo  tilde  expansion,
parameter  and  variable  expansion,  command  substitution, arithmetic expansion, and quote removal (see
EXPANSION below).  If the variable has  its  integer  attribute  set,  then  value  is  evaluated  as  an
arithmetic  expression even if the $((...)) expansion is not used (see Arithmetic Expansion below).  Word
splitting is not performed, with the exception of "$@"  as  explained  below  under  Special  Parameters.
Pathname  expansion  is  not performed.  Assignment statements may also appear as arguments to the alias,
declare, typeset, export, readonly, and local builtin commands.

In the context where an assignment statement is assigning a value to a shell variable or array index, the
+=  operator  can  be used to append to or add to the variable's previous value.  When += is applied to a
variable for which the integer attribute has been set, value is evaluated as an arithmetic expression and
added  to the variable's current value, which is also evaluated.  When += is applied to an array variable
using compound assignment (see Arrays below), the variable's value is not unset (as it is when using  =),
and  new  values  are  appended to the array beginning at one greater than the array's maximum index (for
indexed arrays) or added as additional key-value pairs in  an  associative  array.   When  applied  to  a
string-valued variable, value is expanded and appended to the variable's value.

Commands separated  by  a ; are executed sequentially; the shell waits for each command to terminate in turn.  The
return status is the exit status of the last command executed.

Network exploration tool and security / port scanner

-p port ranges (Only scan specified ports) .
    This option specifies which ports you want to scan and overrides the default. Individual port numbers
    are OK, as are ranges separated by a hyphen (e.g.  1-1023). The beginning and/or end values of a
    range may be omitted, causing Nmap to use 1 and 65535, respectively. So you can specify -p- to scan
    ports from 1 through 65535. Scanning port zero.  is allowed if you specify it explicitly. For IP
    protocol scanning (-sO), this option specifies the protocol numbers you wish to scan for (0–255).

    When scanning both TCP and UDP ports, you can specify a particular protocol by preceding the port
    numbers by T: or U:. The qualifier lasts until you specify another qualifier. For example, the
    argument -p U:53,111,137,T:21-25,80,139,8080 would scan UDP ports 53, 111,and 137, as well as the
    listed TCP ports. Note that to scan both UDP and TCP, you have to specify -sU and at least one TCP
    scan type (such as -sS, -sF, or -sT). If no protocol qualifier is given, the port numbers are added
    to all protocol lists.  Ports can also be specified by name according to what the port is referred to
    in the nmap-services. You can even use the wildcards * and ? with the names. For example, to scan FTP
    and all ports whose names begin with “http”, use -p ftp,http*. Be careful about shell expansions and
    quote the argument to -p if unsure.

    Ranges of ports can be surrounded by square brackets to indicate ports inside that range that appear
    in nmap-services. For example, the following will scan all ports in nmap-services equal to or below
    1024: -p [-1024]. Be careful with shell expansions and quote the argument to -p if unsure.

--min-rate number; --max-rate number (Directly control the scanning rate) .
    Nmap´s dynamic timing does a good job of finding an appropriate speed at which to scan. Sometimes,
    however, you may happen to know an appropriate scanning rate for a network, or you may have to
    guarantee that a scan will be finished by a certain time. Or perhaps you must keep Nmap from scanning
    too quickly. The --min-rate and --max-rate options are designed for these situations.

    When the --min-rate option is given Nmap will do its best to send packets as fast as or faster than
    the given rate. The argument is a positive real number representing a packet rate in packets per
    second. For example, specifying --min-rate 300 means that Nmap will try to keep the sending rate at
    or above 300 packets per second. Specifying a minimum rate does not keep Nmap from going faster if
    conditions warrant.

    Likewise, --max-rate limits a scan´s sending rate to a given maximum. Use --max-rate 100, for
    example, to limit sending to 100 packets per second on a fast network. Use --max-rate 0.1 for a slow
    scan of one packet every ten seconds. Use --min-rate and --max-rate together to keep the rate inside
    a certain range.

    These two options are global, affecting an entire scan, not individual hosts. They only affect port
    scans and host discovery scans. Other features like OS detection implement their own timing.

    There are two conditions when the actual scanning rate may fall below the requested minimum. The
    first is if the minimum is faster than the fastest rate at which Nmap can send, which is dependent on
    hardware. In this case Nmap will simply send packets as fast as possible, but be aware that such high
    rates are likely to cause a loss of accuracy. The second case is when Nmap has nothing to send, for
    example at the end of a scan when the last probes have been sent and Nmap is waiting for them to time
    out or be responded to. It´s normal to see the scanning rate drop at the end of a scan or in between
    hostgroups. The sending rate may temporarily exceed the maximum to make up for unpredictable delays,
    but on average the rate will stay at or below the maximum.

    Specifying a minimum rate should be done with care. Scanning faster than a network can support may
    lead to a loss of accuracy. In some cases, using a faster rate can make a scan take longer than it
    would with a slower rate. This is because Nmap´s

    adaptive retransmission algorithms will detect the network congestion caused by an excessive scanning
    rate and increase the number of retransmissions in order to improve accuracy. So even though packets
    are sent at a higher rate, more packets are sent overall. Cap the number of retransmissions with the
    --max-retries option if you need to set an upper limit on total scan time.

-n (No DNS resolution) .
    Tells Nmap to never do reverse DNS resolution on the active IP addresses it finds. Since DNS can be
    slow even with Nmap´s built-in parallel stub resolver, this option can slash scanning times.

-sT (TCP connect scan) .
    TCP connect scan is the default TCP scan type when SYN scan is not an option. This is the case when a
    user does not have raw packet privileges or is scanning IPv6 networks. Instead of writing raw packets
    as most other scan types do, Nmap asks the underlying operating system to establish a connection with
    the target machine and port by issuing the connect system call. This is the same high-level system
    call that web browsers, P2P clients, and most other network-enabled applications use to establish a
    connection. It is part of a programming interface known as the Berkeley Sockets API. Rather than read
    raw packet responses off the wire, Nmap uses this API to obtain status information on each connection
    attempt.

    When SYN scan is available, it is usually a better choice. Nmap has less control over the high level
    connect call than with raw packets, making it less efficient. The system call completes connections
    to open target ports rather than performing the half-open reset that SYN scan does. Not only does
    this take longer and require more packets to obtain the same information, but target machines are
    more likely to log the connection. A decent IDS will catch either, but most machines have no such
    alarm system. Many services on your average Unix system will add a note to syslog, and sometimes a
    cryptic error message, when Nmap connects and then closes the connection without sending data. Truly
    pathetic services crash when this happens, though that is uncommon. An administrator who sees a bunch
    of connection attempts in her logs from a single system should know that she has been connect
    scanned.

-oG filespec (grepable output) .
    This output format is covered last because it is deprecated. The XML output format is far more
    powerful, and is nearly as convenient for experienced users. XML is a standard for which dozens of
    excellent parsers are available, while grepable output is my own simple hack. XML is extensible to
    support new Nmap features as they are released, while I often must omit those features from grepable
    output for lack of a place to put them.

    Nevertheless, grepable output is still quite popular. It is a simple format that lists each host on
    one line and can be trivially searched and parsed with standard Unix tools such as grep, awk, cut,
    sed, diff, and Perl. Even I usually use it for one-off tests done at the command line. Finding all
    the hosts with the SSH port open or that are running Solaris takes only a simple grep to identify the
    hosts, piped to an awk or cut command to print the desired fields.

    Grepable output consists of comments (lines starting with a pound (#)).  and target lines. A target
    line includes a combination of six labeled fields, separated by tabs and followed with a colon. The
    fields are Host, Ports, Protocols, Ignored State, OS, Seq Index, IP ID, and Status.

    The most important of these fields is generally Ports, which gives details on each interesting port.
    It is a comma separated list of port entries. Each port entry represents one interesting port, and
    takes the form of seven slash (/) separated subfields. Those subfields are: Port number, State,
    Protocol, Owner, Service, SunRPC info, and Version info.

    As with XML output, this man page does not allow for documenting the entire format. A more detailed
    look at the Nmap grepable output format is available from
    http://nmap.org/book/output-formats-grepable-output.html.

--open (Show only open (or possibly open) ports) .
    Sometimes you only care about ports you can actually connect to (open ones), and don´t want results
    cluttered with closed, filtered, and closed|filtered ports. Output customization is normally done
    after the scan using tools such as grep, awk, and Perl, but this feature was added due to
    overwhelming requests. Specify --open to only see open, open|filtered, and unfiltered ports. These
    three ports are treated just as they normally are, which means that open|filtered and unfiltered may
    be condensed into counts if there are an overwhelming number of them.

nmap [Scan Type...] [Options] {target specification}