-p port ranges (Only scan specified ports) .
This option specifies which ports you want to scan and overrides the default. Individual port numbers
are OK, as are ranges separated by a hyphen (e.g. 1-1023). The beginning and/or end values of a
range may be omitted, causing Nmap to use 1 and 65535, respectively. So you can specify -p- to scan
ports from 1 through 65535. Scanning port zero. is allowed if you specify it explicitly. For IP
protocol scanning (-sO), this option specifies the protocol numbers you wish to scan for (0–255).
When scanning both TCP and UDP ports, you can specify a particular protocol by preceding the port
numbers by T: or U:. The qualifier lasts until you specify another qualifier. For example, the
argument -p U:53,111,137,T:21-25,80,139,8080 would scan UDP ports 53, 111,and 137, as well as the
listed TCP ports. Note that to scan both UDP and TCP, you have to specify -sU and at least one TCP
scan type (such as -sS, -sF, or -sT). If no protocol qualifier is given, the port numbers are added
to all protocol lists. Ports can also be specified by name according to what the port is referred to
in the nmap-services. You can even use the wildcards * and ? with the names. For example, to scan FTP
and all ports whose names begin with “http”, use -p ftp,http*. Be careful about shell expansions and
quote the argument to -p if unsure.
Ranges of ports can be surrounded by square brackets to indicate ports inside that range that appear
in nmap-services. For example, the following will scan all ports in nmap-services equal to or below
1024: -p [-1024]. Be careful with shell expansions and quote the argument to -p if unsure.
|
--min-rate number; --max-rate number (Directly control the scanning rate) .
Nmap´s dynamic timing does a good job of finding an appropriate speed at which to scan. Sometimes,
however, you may happen to know an appropriate scanning rate for a network, or you may have to
guarantee that a scan will be finished by a certain time. Or perhaps you must keep Nmap from scanning
too quickly. The --min-rate and --max-rate options are designed for these situations.
When the --min-rate option is given Nmap will do its best to send packets as fast as or faster than
the given rate. The argument is a positive real number representing a packet rate in packets per
second. For example, specifying --min-rate 300 means that Nmap will try to keep the sending rate at
or above 300 packets per second. Specifying a minimum rate does not keep Nmap from going faster if
conditions warrant.
Likewise, --max-rate limits a scan´s sending rate to a given maximum. Use --max-rate 100, for
example, to limit sending to 100 packets per second on a fast network. Use --max-rate 0.1 for a slow
scan of one packet every ten seconds. Use --min-rate and --max-rate together to keep the rate inside
a certain range.
These two options are global, affecting an entire scan, not individual hosts. They only affect port
scans and host discovery scans. Other features like OS detection implement their own timing.
There are two conditions when the actual scanning rate may fall below the requested minimum. The
first is if the minimum is faster than the fastest rate at which Nmap can send, which is dependent on
hardware. In this case Nmap will simply send packets as fast as possible, but be aware that such high
rates are likely to cause a loss of accuracy. The second case is when Nmap has nothing to send, for
example at the end of a scan when the last probes have been sent and Nmap is waiting for them to time
out or be responded to. It´s normal to see the scanning rate drop at the end of a scan or in between
hostgroups. The sending rate may temporarily exceed the maximum to make up for unpredictable delays,
but on average the rate will stay at or below the maximum.
Specifying a minimum rate should be done with care. Scanning faster than a network can support may
lead to a loss of accuracy. In some cases, using a faster rate can make a scan take longer than it
would with a slower rate. This is because Nmap´s
adaptive retransmission algorithms will detect the network congestion caused by an excessive scanning
rate and increase the number of retransmissions in order to improve accuracy. So even though packets
are sent at a higher rate, more packets are sent overall. Cap the number of retransmissions with the
--max-retries option if you need to set an upper limit on total scan time.
|
-oA basename (Output to all formats) .
As a convenience, you may specify -oA basename to store scan results in normal, XML, and grepable
formats at once. They are stored in basename.nmap, basename.xml, and basename.gnmap, respectively. As
with most programs, you can prefix the filenames with a directory path, such as ~/nmaplogs/foocorp/
on Unix or c:\hacking\sco on Windows.
|