zmap

Scan port 80 on a network

$ sudo zmap -p [80] [192.168.1.0/24]

$ sudo zmap -p [443] -o [results.txt]

$ sudo zmap -p [22] -r [10000] [10.0.0.0/8]

$ sudo zmap -p [80] -B [10M] [target_subnet]

$ sudo zmap -p [80] -i [eth0] [target]

$ sudo zmap -p [80] -o [results.csv] -O csv [target]

zmap [-p port] [-o outfile] [-b blacklist] [options] [target]

ZMap is a fast network scanner designed for internet-wide surveys. It can scan the entire IPv4 address space in under 45 minutes from a single machine, using optimized packet generation and stateless scanning.
Unlike nmap which maintains connection state, ZMap sends probes and separately listens for responses, enabling much higher throughput. It uses a cyclic multiplicative group to randomize scan order, avoiding network hotspots.
ZMap supports various probe types through modules (TCP SYN, ICMP, UDP) and output formats. It's commonly used for security research, measuring internet-wide vulnerability exposure, and census-style studies.

-p, --target-port port

Port to scan

Output results to file

File of addresses to exclude

File of addresses to include (only scan these)

Packets per second (default: unlimited)

Bandwidth limit (e.g., 10M, 1G)

Network interface

Gateway MAC address

Output format (csv, json, extended_file)

Comma-separated fields to output

Maximum targets to scan

Stop after N results

WARNING: Scanning networks without authorization is illegal in many jurisdictions. Only scan networks you own or have explicit permission to test.
Requires root/CAPNETRAW for raw socket access.
High scan rates can overwhelm networks or trigger security alerts. Use rate limiting and respect network policies.
Always use a blacklist to exclude sensitive addresses (RFC 1918, military, critical infrastructure).

nmap(1), masscan(1), unicornscan(1)