What is the difference between -sS and -sT?

A SYN scan (-sS) sends a SYN, reads the SYN/ACK or RST reply, then sends an RST to tear down the half-open connection so the handshake never completes. A connect scan (-sT) uses the operating system connect() call to fully open each port, which needs no privileges but is slower and is logged by the target application.

Why is the UDP scan (-sU) so slow?

UDP is connectionless, so an open port often sends no reply, and nmap must wait for a timeout before deciding open|filtered. Hosts also rate-limit ICMP port-unreachable messages, the signal for a closed port, so nmap throttles to avoid losing results. Scanning all 65535 UDP ports can take hours.

Which scans need root privileges?

The raw-packet scans — SYN (-sS), the stealth FIN/Null/Xmas/Maimon scans, ACK, Window, UDP, idle and IP protocol scans — all craft packets directly and require root or the equivalent capability. Without privileges nmap falls back to the unprivileged TCP connect scan (-sT).

How do FIN, Null and Xmas scans evade firewalls?

These scans send packets with unusual or no flags. An RFC-compliant TCP stack replies with RST for a closed port and silently ignores the packet on an open port, so no reply means open|filtered. Many stateless firewalls only block SYN packets, so these scans slip past them. They do not work against Windows, which sends RST for all states.

Is it legal to scan any host with nmap?

No. You should only scan hosts and networks you own or have explicit written authorization to test. Unauthorized port scanning can violate computer-misuse laws in many jurisdictions and acceptable-use policies even when no harm is done. Always get permission before scanning.

nmap Scan Types Reference

Email me this result

Get this tool's output sent to your inbox, plus one useful tool a week. No spam, unsubscribe any time.

nmap exposes a dozen-plus scan techniques, each sending a different probe and reading the response in a different way. Picking the right one decides whether you get accurate results, slip past a firewall, or get logged and blocked. This reference lists every scan flag with its protocol, privilege requirement, stealth level and the exact probe logic it uses.

How it works

A TCP SYN scan (-sS) is the workhorse: it sends a SYN, treats a SYN/ACK as open and an RST as closed, then sends an RST so the handshake never completes — fast and relatively quiet, but it needs root to craft raw packets. The unprivileged connect scan (-sT) instead asks the OS to fully open each port, which is slower and easily logged. UDP scan (-sU) is connectionless and slow, inferring closed ports from ICMP port-unreachable replies.

The stealth family — FIN (-sF), Null (-sN), Xmas (-sX) and Maimon (-sM) — sends packets with unusual flag combinations. RFC-compliant stacks RST a closed port and ignore an open one, so silence means open|filtered. These evade simple stateless firewalls but fail against Windows. ACK (-sA) and Window (-sW) scans map firewall rules rather than open ports, and the idle scan (-sI) bounces probes off a third-party zombie so the target never sees the real source. Add -sV for version detection and -sC for the default NSE scripts.

Tips and notes

Combine scan types with timing and discovery options for real engagements: -sV adds service and version detection on top of any scan, and -sC runs the default script set. Raw-packet scans need root; without it nmap silently downgrades to -sT. Most importantly, only scan systems you are authorized to test — unauthorized scanning can be illegal regardless of intent.