nmap(1) -p- -sT -T4 -vvvv -Pn --open -iL scanip -oA scanmeip
Network exploration tool and security / port scanner
-p port ranges (Only scan specified ports) .
    This option specifies which ports you want to scan and overrides the default. Individual port numbers
    are OK, as are ranges separated by a hyphen (e.g.  1-1023). The beginning and/or end values of a
    range may be omitted, causing Nmap to use 1 and 65535, respectively. So you can specify -p- to scan
    ports from 1 through 65535. Scanning port zero.  is allowed if you specify it explicitly. For IP
    protocol scanning (-sO), this option specifies the protocol numbers you wish to scan for (0–255).

    When scanning both TCP and UDP ports, you can specify a particular protocol by preceding the port
    numbers by T: or U:. The qualifier lasts until you specify another qualifier. For example, the
    argument -p U:53,111,137,T:21-25,80,139,8080 would scan UDP ports 53, 111,and 137, as well as the
    listed TCP ports. Note that to scan both UDP and TCP, you have to specify -sU and at least one TCP
    scan type (such as -sS, -sF, or -sT). If no protocol qualifier is given, the port numbers are added
    to all protocol lists.  Ports can also be specified by name according to what the port is referred to
    in the nmap-services. You can even use the wildcards * and ? with the names. For example, to scan FTP
    and all ports whose names begin with “http”, use -p ftp,http*. Be careful about shell expansions and
    quote the argument to -p if unsure.

    Ranges of ports can be surrounded by square brackets to indicate ports inside that range that appear
    in nmap-services. For example, the following will scan all ports in nmap-services equal to or below
    1024: -p [-1024]. Be careful with shell expansions and quote the argument to -p if unsure.
-sT (TCP connect scan) .
    TCP connect scan is the default TCP scan type when SYN scan is not an option. This is the case when a
    user does not have raw packet privileges or is scanning IPv6 networks. Instead of writing raw packets
    as most other scan types do, Nmap asks the underlying operating system to establish a connection with
    the target machine and port by issuing the connect system call. This is the same high-level system
    call that web browsers, P2P clients, and most other network-enabled applications use to establish a
    connection. It is part of a programming interface known as the Berkeley Sockets API. Rather than read
    raw packet responses off the wire, Nmap uses this API to obtain status information on each connection
    attempt.

    When SYN scan is available, it is usually a better choice. Nmap has less control over the high level
    connect call than with raw packets, making it less efficient. The system call completes connections
    to open target ports rather than performing the half-open reset that SYN scan does. Not only does
    this take longer and require more packets to obtain the same information, but target machines are
    more likely to log the connection. A decent IDS will catch either, but most machines have no such
    alarm system. Many services on your average Unix system will add a note to syslog, and sometimes a
    cryptic error message, when Nmap connects and then closes the connection without sending data. Truly
    pathetic services crash when this happens, though that is uncommon. An administrator who sees a bunch
    of connection attempts in her logs from a single system should know that she has been connect
    scanned.
-T paranoid|sneaky|polite|normal|aggressive|insane (Set a timing template) .
    While the fine-grained timing controls discussed in the previous section are powerful and effective,
    some people find them confusing. Moreover, choosing the appropriate values can sometimes take more
    time than the scan you are trying to optimize. So Nmap offers a simpler approach, with six timing
    templates. You can specify them with the -T option and their number (0–5) or their name. The template
    names are paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5). The first
    two are for IDS evasion. Polite mode slows down the scan to use less bandwidth and target machine
    resources. Normal mode is the default and so -T3 does nothing. Aggressive mode speeds scans up by
    making the assumption that you are on a reasonably fast and reliable network. Finally insane mode.
    assumes that you are on an extraordinarily fast network or are willing to sacrifice some accuracy for
    speed.

    These templates allow the user to specify how aggressive they wish to be, while leaving Nmap to pick
    the exact timing values. The templates also make some minor speed adjustments for which fine-grained
    control options do not currently exist. For example, -T4.  prohibits the dynamic scan delay from
    exceeding 10 ms for TCP ports and -T5 caps that value at 5 ms. Templates can be used in combination
    with fine-grained controls, and the fine-grained controls will you specify will take precedence over
    the timing template default for that parameter. I recommend using -T4 when scanning reasonably modern
    and reliable networks. Keep that option even when you add fine-grained controls so that you benefit
    from those extra minor optimizations that it enables.

    If you are on a decent broadband or ethernet connection, I would recommend always using -T4. Some
    people love -T5 though it is too aggressive for my taste. People sometimes specify -T2 because they
    think it is less likely to crash hosts or because they consider themselves to be polite in general.
    They often don´t realize just how slow -T polite.  really is. Their scan may take ten times longer
    than a default scan. Machine crashes and bandwidth problems are rare with the default timing options
    (-T3) and so I normally recommend that for cautious scanners. Omitting version detection is far more
    effective than playing with timing values at reducing these problems.

    While -T0.  and -T1.  may be useful for avoiding IDS alerts, they will take an extraordinarily long
    time to scan thousands of machines or ports. For such a long scan, you may prefer to set the exact
    timing values you need rather than rely on the canned -T0 and -T1 values.

    The main effects of T0 are serializing the scan so only one port is scanned at a time, and waiting
    five minutes between sending each probe.  T1 and T2 are similar but they only wait 15 seconds and 0.4
    seconds, respectively, between probes.  T3 is Nmap´s default behavior, which includes
    parallelization..  -T4 does the equivalent of --max-rtt-timeout 1250 --initial-rtt-timeout 500
    --max-retries 6 and sets the maximum TCP scan delay to 10 milliseconds.  T5 does the equivalent of
    --max-rtt-timeout 300 --min-rtt-timeout 50 --initial-rtt-timeout 250 --max-retries 2 --host-timeout
    15m as well as setting the maximum TCP scan delay to 5 ms.
-v (Increase verbosity level) .
    Increases the verbosity level, causing Nmap to print more information about the scan in progress.
    Open ports are shown as they are found and completion time estimates are provided when Nmap thinks a
    scan will take more than a few minutes. Use it twice or more for even greater verbosity.

    Most changes only affect interactive output, and some also affect normal and script kiddie output.
    The other output types are meant to be processed by machines, so Nmap can give substantial detail by
    default in those formats without fatiguing a human user. However, there are a few changes in other
    modes where output size can be reduced substantially by omitting some detail. For example, a comment
    line in the grepable output that provides a list of all ports scanned is only printed in verbose mode
    because it can be quite long.
-n (No DNS resolution) .
    Tells Nmap to never do reverse DNS resolution on the active IP addresses it finds. Since DNS can be
    slow even with Nmap´s built-in parallel stub resolver, this option can slash scanning times.
--open (Show only open (or possibly open) ports) .
    Sometimes you only care about ports you can actually connect to (open ones), and don´t want results
    cluttered with closed, filtered, and closed|filtered ports. Output customization is normally done
    after the scan using tools such as grep, awk, and Perl, but this feature was added due to
    overwhelming requests. Specify --open to only see open, open|filtered, and unfiltered ports. These
    three ports are treated just as they normally are, which means that open|filtered and unfiltered may
    be condensed into counts if there are an overwhelming number of them.
-iL inputfilename (Input from list) .
    Reads target specifications from inputfilename. Passing a huge list of hosts is often awkward on the
    command line, yet it is a common desire. For example, your DHCP server might export a list of 10,000
    current leases that you wish to scan. Or maybe you want to scan all IP addresses except for those to
    locate hosts using unauthorized static IP addresses. Simply generate the list of hosts to scan and
    pass that filename to Nmap as an argument to the -iL option. Entries can be in any of the formats
    accepted by Nmap on the command line (IP address, hostname, CIDR, IPv6, or octet ranges). Each entry
    must be separated by one or more spaces, tabs, or newlines. You can specify a hyphen (-) as the
    filename if you want Nmap to read hosts from standard input rather than an actual file.

    The input file may contain comments that start with # and extend to the end of the line.
-oA basename (Output to all formats) .
    As a convenience, you may specify -oA basename to store scan results in normal, XML, and grepable
    formats at once. They are stored in basename.nmap, basename.xml, and basename.gnmap, respectively. As
    with most programs, you can prefix the filenames with a directory path, such as ~/nmaplogs/foocorp/
    on Unix or c:\hacking\sco on Windows.
source manpages: nmap