The nmap command line utility is used for port scanning and finding out all the ways a computer communicates with other computers on a network. You can find open ports on a server or computer and find what services are using those ports. It can even determine what operating system is running on the server and much more.
Installation
To install nmap on RHEL based Linux distributions, type the following yum command:
# yum install nmap
Sample outputs:
Loaded plugins: protectbase, rhnplugin, security 0 packages excluded due to repository protections Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package nmap.x86_64 2:5.51-2.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: nmap x86_64 2:5.51-2.el6 rhel-x86_64-server-6 2.8 M Transaction Summary ================================================================================ Install 1 Package(s) Total download size: 2.8 M Installed size: 0 Is this ok [y/N]: y Downloading Packages: nmap-5.51-2.el6.x86_64.rpm | 2.8 MB 00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : 2:nmap-5.51-2.el6.x86_64 1/1 Verifying : 2:nmap-5.51-2.el6.x86_64 1/1 Installed: nmap.x86_64 2:5.51-2.el6 Complete!
How do I use nmap command?
To find out nmap version, run:
# nmap --version
Sample outputs:
Nmap version 5.51 ( http://nmap.org )
To scan an IP address or a host name (FQDN), run:
# nmap 1.2.3.4
# nmap localhost
# nmap 192.168.1.1
Sample outputs:

Getting more information out of the remote system
The -v option forces verbose output and the -A optipn enables OS detection and Version detection, Script scanning and traceroute in a single command:
# nmap -v -A scanme.nmap.org
# nmap -v -A 192.168.1.1
Sample outputs:
Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-19 16:38 IST NSE: Loaded 30 scripts for scanning. Initiating ARP Ping Scan at 16:38 Scanning 192.168.1.1 [1 port] Completed ARP Ping Scan at 16:38, 0.04s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 16:38 Completed Parallel DNS resolution of 1 host. at 16:38, 0.00s elapsed Initiating SYN Stealth Scan at 16:38 Scanning 192.168.1.1 [1000 ports] Discovered open port 80/tcp on 192.168.1.1 Discovered open port 22/tcp on 192.168.1.1 Completed SYN Stealth Scan at 16:38, 0.27s elapsed (1000 total ports) Initiating Service scan at 16:38 Scanning 2 services on 192.168.1.1 Completed Service scan at 16:39, 66.11s elapsed (2 services on 1 host) Initiating OS detection (try #1) against 192.168.1.1 Retrying OS detection (try #2) against 192.168.1.1 Retrying OS detection (try #3) against 192.168.1.1 Retrying OS detection (try #4) against 192.168.1.1 Retrying OS detection (try #5) against 192.168.1.1 NSE: Script scanning 192.168.1.1. NSE: Starting runlevel 1 scan Initiating NSE at 16:40 Completed NSE at 16:40, 0.88s elapsed NSE: Script Scanning completed. Host 192.168.1.1 is up (0.00050s latency). Interesting ports on 192.168.1.1: Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh Dropbear sshd 0.52 (protocol 2.0) | ssh-hostkey: 1024 15:b6:b5:68:dc:36:97:76:19:72:4d:74:63:d6:18:35 (DSA) |_ 1040 d2:75:67:8e:51:4d:4b:f6:25:f0:46:e3:a8:9e:8f:42 (RSA) 80/tcp open http? |_ html-title: Error | http-auth: HTTP Service requires authentication |_ Auth type: Basic, realm = tswitch 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : SF-Port80-TCP:V=5.00%I=7%D=11/19%Time=50AA133E%P=x86_64-unknown-linux-gnu% SF:r(GetRequest,17E,"HTTP/1\.0\x20401\x20Unauthorized\r\nDate:\x20Mon,\x20 SF:19\x20Nov\x202012\x2011:08:46\x20GMT\r\nContent-Type:\x20text/html;\x20 SF:charset=utf-8\r\nCache-Control:\x20no-cache,\x20no-store,\x20must-reval SF:idate,\x20private\r\nExpires:\x20Thu,\x2031\x20Dec\x201970\x2000:00:00\ SF:x20GMT\r\nPragma:\x20no-cache\r\nWWW-Authenticate:\x20Basic\x20realm=\" SF:tswitch\"\r\nConnection:\x20close\r\n\r\n<html><head><title>Error</titl SF:e></head><body><h2>401\x20Unauthorized</h2>\x20Unauthorized</body></htm SF:l>")%r(FourOhFourRequest,17E,"HTTP/1\.0\x20401\x20Unauthorized\r\nDate: SF:\x20Mon,\x2019\x20Nov\x202012\x2011:08:51\x20GMT\r\nContent-Type:\x20te SF:xt/html;\x20charset=utf-8\r\nCache-Control:\x20no-cache,\x20no-store,\x SF:20must-revalidate,\x20private\r\nExpires:\x20Thu,\x2031\x20Dec\x201970\ SF:x2000:00:00\x20GMT\r\nPragma:\x20no-cache\r\nWWW-Authenticate:\x20Basic SF:\x20realm=\"tswitch\"\r\nConnection:\x20close\r\n\r\n<html><head><title SF:>Error</title></head><body><h2>401\x20Unauthorized</h2>\x20Unauthorized SF:</body></html>")%r(Help,15E,"HTTP/1\.0\x20400\x20Invalid\x20Request\r\n SF:Date:\x20Mon,\x2019\x20Nov\x202012\x2011:09:06\x20GMT\r\nContent-Type:\ SF:x20text/html;\x20charset=utf-8\r\nCache-Control:\x20no-cache,\x20no-sto SF:re,\x20must-revalidate,\x20private\r\nExpires:\x20Thu,\x2031\x20Dec\x20 SF:1970\x2000:00:00\x20GMT\r\nPragma:\x20no-cache\r\nConnection:\x20close\ SF:r\n\r\n<html><head><title>Error</title></head><body><h2>400\x20Invalid\ SF:x20Request</h2>\x20Invalid\x20Request</body></html>")%r(LPDString,15E," SF:HTTP/1\.0\x20400\x20Invalid\x20Request\r\nDate:\x20Mon,\x2019\x20Nov\x2 SF:02012\x2011:09:11\x20GMT\r\nContent-Type:\x20text/html;\x20charset=utf- SF:8\r\nCache-Control:\x20no-cache,\x20no-store,\x20must-revalidate,\x20pr SF:ivate\r\nExpires:\x20Thu,\x2031\x20Dec\x201970\x2000:00:00\x20GMT\r\nPr SF:agma:\x20no-cache\r\nConnection:\x20close\r\n\r\n<html><head><title>Err SF:or</title></head><body><h2>400\x20Invalid\x20Request</h2>\x20Invalid\x2 SF:0Request</body></html>"); MAC Address: BC:AE:C5:C3:16:93 (Unknown) No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=5.00%D=11/19%OT=22%CT=1%CU=35558%PV=Y%DS=1%G=Y%M=BCAEC5%TM=50AA13 OS:8B%P=x86_64-unknown-linux-gnu)SEQ(CI=Z%II=I)ECN(R=Y%DF=Y%T=40%W=4600%O=M OS:2300NNSNW2%CC=N%Q=)T1(R=N)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R OS:%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T= OS:40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL= OS:G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) Network Distance: 1 hop Read data files from: /usr/share/nmap OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 83.27 seconds Raw packets sent: 1266 (62.072KB) | Rcvd: 1036 (44.320KB)
To scan a range of IP addresses
# nmap 192.168.1.1-50
To scan an entire subnet
# nmap 192.168.1.0/24
Ping only scan
# nmap -sP 192.168.1.1
TCP SYN scan
# nmap -sS 192.168.1.1
UDP scan
# nmap -sU 192.168.1.1
IP protocol scan
# nmap -sO 192.168.1.1
Scan port 80, 25, 443, and 110
# nmap -p 80,25,443,110 192.168.1.1
Scan port ranges 1024-2048
# nmap -p 1024-2048 192.168.1.1
Operating system detection
# nmap -O --osscan-guess 192.168.1.1
# nmap -O --osscan-guess 192.168.1.1