Introduction
nmap, the Network Mapper, is one of the most widely used tools in networking and security. At its core it is a scanner: it can find which hosts are on a network, which ports are open on those hosts, what services are running, and even what operating system a target is likely running. Understanding how nmap works means understanding how TCP/IP stimulus and response works, because nmap's intelligence comes entirely from how targets respond to crafted packets.
Portscan vs Portsweep
It helps to distinguish between two related but different operations. A portscan targets a single host and probes many ports, the goal is to build a picture of what services that one machine is running. A portsweep targets many hosts but looks for a single specific port, useful when you want to find every machine on a network that has, say, SSH or HTTP open. nmap can perform both.
Host Discovery
Before scanning ports, nmap needs to know which hosts are actually up. The -sn flag (previously -sP) tells nmap to do host discovery only, without port scanning. On a local network when running as root, nmap defaults to ARP requests for host discovery, which is highly reliable since devices cannot ignore ARP without losing network connectivity. Over the internet it falls back to ICMP echo requests.
nmap -sn 192.168.1.0/24 # ping sweep of entire subnetPing sweeps are noisy and increasingly unreliable since many hosts block ICMP. For more complete host discovery, nmap combines ICMP, TCP SYN to port 443, and TCP ACK to port 80. An ACK scan is particularly interesting, a host that has no existing connection must respond with RST, which reveals its presence even behind some firewalls.
SYN Scan (Half-Open Scan)
The SYN scan, enabled with -sS, is nmap's default when run as root. It is often called a stealth or half-open scan. nmap sends a SYN packet to each port. If it gets back a SYN/ACK, the port is open. If it gets back RST, the port is closed. Instead of completing the handshake with an ACK, nmap sends a RST to tear down the half-open connection.
nmap -sS target.comBecause the full connection is never established, the scan often does not get logged by the application sitting on the open port. It requires root privileges because crafting raw packets with specific flags requires low-level network access.
Connect Scan
The connect scan (-sT) completes the full three-way handshake. It does not require root because it uses the operating system's normal socket API rather than raw packets. The downside is that completed connections are more likely to be logged by the target application and the scan is generally slower. It is the fallback when SYN scanning is not available.
UDP Scanning
UDP scanning (-sU) works differently from TCP because UDP has no connection setup. nmap sends UDP packets to each port. If it gets back an ICMP port unreachable message, the port is closed. If it gets no response, nmap marks the port as open or filtered, it cannot distinguish between an open port and one where the response is being dropped. This makes UDP scanning much slower and less definitive than TCP scanning. Using --top-ports to limit the scan to commonly used UDP ports helps keep it practical.
Inverse Scans: FIN, NULL, and Xmas
These three scan types exploit a specific rule in RFC 793: a closed port should respond with RST to a TCP packet that is not a SYN, while an open port should ignore it. Sending unexpected flag combinations. FIN only, no flags at all (NULL), or FIN plus PSH and URG (Xmas), lets nmap infer port state from the absence or presence of RST responses.
nmap -sF target.com # FIN scan
nmap -sN target.com # NULL scan
nmap -sX target.com # Xmas scanThe problem is that Windows and Cisco devices often respond with RST regardless of port state, making these scans unreliable against those targets. They are primarily useful for evading firewalls that block SYN-based scans, since many firewalls focus exclusively on filtering SYN packets. These scans are collectively called inverse scans because an absence of response is what suggests an open port, the opposite of the normal pattern.
OS Fingerprinting
nmap can attempt to identify the operating system of a target using -O. It sends a series of unusual or carefully crafted packets, things like unsolicited FINs, bogus flag combinations, NULL segments, and analyses how the target responds. Different operating systems implement their TCP stacks differently, and these subtle variations in how they respond to edge cases create a fingerprint that can be matched against nmap's database of known OS behaviours.
nmap -O target.com # OS detectionFragmentation for Evasion
nmap has a -f flag that fragments its probe packets into 8-byte chunks. This is a technique to evade intrusion detection systems that do not bother to reassemble fragments before analyzing them. A SYN packet's TCP header is only 20 bytes, so it gets split into three tiny fragments. An IDS that looks for complete TCP headers in each packet will not recognise this as a port scan. Modern IDS systems reassemble fragments before analysis, but some do not.
nmap -f -sS -p 53 target.com # fragmented SYN scan on port 53The Nmap Scripting Engine
Beyond scanning, nmap has a scripting engine (NSE) that extends its capabilities enormously. Scripts can probe services for version information, check for known vulnerabilities, attempt default credential logins, discover additional hosts, and more. Scripts are organized into categories: safe, intrusive, vuln, exploit, auth, brute, and discovery among others.
nmap --script=vuln target.com # run vulnerability checks
nmap --script=http-title target.com # grab HTTP titlesPractical Tips
A few things that help in practice: use -Pn to skip host discovery and treat every target as up, useful when ICMP is blocked and you know the target exists. Use --scan-delay to slow down scans against unstable networks or to reduce the chance of detection. Use scanme.nmap.org as a legitimate practice target when you want to test scan types without hitting anything you do not own.
Conclusion
nmap is built entirely on stimulus and response. Every scan type. SYN, UDP, FIN, NULL, Xmas, works by sending specific packets and interpreting the responses according to what the relevant RFCs say hosts should do. Understanding the underlying protocol behavior is what makes nmap's output make sense. Treat the scans as protocol experiments and the tool starts to feel much less like a black box.