LinuxCommandLibrary

zmap

Scan networks for responsive hosts and services

TLDR

Scan a subnet or full IPv4 space for a specific TCP port (default: 80)

$ zmap [SUBNETS] [[-p|--target-ports]] [port]
copy

Scan specific ports or port ranges across a subnet
$ zmap [[-p|--target-ports]] [port1,port2-port3,...] [SUBNETS]
copy

Output results to a CSV file with custom fields
$ zmap [[-o|--output-file]] [path/to/output_file.csv] [[-f|--output-fields]] "[saddr,daddr,sport,dport]" [SUBNETS]
copy

Limit the scan rate to a specific number of packets per second
$ zmap [[-r|--rate]] [packets_per_second] [SUBNETS]
copy

Perform a dry run without sending packets
$ zmap [[-d|--dryrun]] [SUBNETS]
copy

Exclude subnets using a blocklist file in CIDR notation
$ zmap [[-b|--blocklist-file]] [path/to/blocklist.txt] [SUBNETS]
copy

Set a specific source IP for scan packets
$ zmap [[-S|--source-ip]] [source_ip] [SUBNETS]
copy

Cap the number/percentage of targets to probe (e.g. 1000 IP/port pairs)
$ zmap [[-n|--max-targets]] [1000] [SUBNETS] [[-p|--target-ports]] [port1,port2-port3]
copy

SYNOPSIS

zmap [OPTIONS]

Common usage examples:
zmap [OPTIONS] -p
zmap [OPTIONS] --probe-module= --output-file=

PARAMETERS

-p, --target-port=
    The destination port for TCP or UDP probes. Required for default probe modules.

-o, --output-file=
    File to write scan results to. Defaults to stdout.

-B, --bandwidth=
    Set the target sending bandwidth. E.g., 10M for 10 Megabits/s, 1G for 1 Gigabit/s.

-r, --rate=
    Set the target sending rate in packets per second (pps). Overrides --bandwidth if both are specified.

-N, --max-targets=
    Maximum number of unique targets to scan before stopping.

--probe-module=
    Specify the probe module to use (e.g., tcp_synscan, icmp_echo, udp).

--output-module=
    Specify the output module to use (e.g., csv, json, redis).

-M, --probe-args=
    Arguments to pass to the selected probe module.

-O, --output-args=
    Arguments to pass to the selected output module.

-i, --interface=
    Network interface to use for sending and receiving packets.

-t, --targets-file=
    File containing a list of target IP addresses or CIDR ranges to scan.

--dryrun
    Print scan configuration and exit without actually scanning.

-q, --quiet
    Suppress status updates and non-essential output.

-v, --verbosity=
    Set the verbosity level (0-5, default 3).

DESCRIPTION

zmap is an open-source network scanner designed for high-speed, large-scale network surveys. Unlike traditional port scanners that establish full connections, zmap sends out a high volume of stateless probe packets and analyzes the responses. It can scan the entire IPv4 address space in under 45 minutes on a gigabit Ethernet connection, making it ideal for Internet-wide research, security audits, and identifying vulnerable services. It achieves its speed by crafting raw Ethernet frames directly and distributing probes uniformly across the address space. zmap supports various probe modules (e.g., TCP SYN, ICMP, UDP, DNS) and flexible output modules.

CAVEATS

zmap typically requires root privileges or specific capabilities (e.g., CAP_NET_RAW) to send and receive raw Ethernet frames. Due to its high-speed nature, it can generate significant network traffic, potentially overwhelming target networks, triggering IDS/IPS systems, or violating network usage policies. Users should exercise caution and ensure they have permission before scanning networks they do not own or administer. It is primarily designed for IPv4 networks.

PROBE MODULES

zmap's modular design allows it to support various scanning protocols. Probe modules define the type of packet sent (e.g., TCP SYN, ICMP Echo Request, UDP, DNS, ARP). This flexibility enables zmap to perform diverse types of network surveys beyond simple port scanning.

OUTPUT MODULES

Results from zmap scans can be formatted and exported using different output modules. Common output formats include CSV (comma-separated values), JSON, and direct streaming to Redis or other databases. This makes it easy to integrate zmap data into other analysis pipelines or storage systems.

PERFORMANCE OPTIMIZATION

zmap achieves its exceptional speed by operating stateless, meaning it doesn't maintain per-target state during the scan. It uses a cryptographically-generated sequence of IP addresses to distribute probes uniformly and avoids retransmissions. By crafting raw packets and bypassing the kernel's TCP/IP stack for outgoing probes, it maximizes packet generation rates.

HISTORY

Developed by Zakir Durumeric and collaborators at the University of Michigan, zmap was first publicly released in 2013. It emerged from the need for a tool capable of efficiently scanning the entire Internet for research purposes, a task that traditional scanners like Nmap were too slow to accomplish on a large scale. Its development significantly advanced the field of Internet-wide measurement and security research by providing a fast, scalable, and modular platform for network reconnaissance.

SEE ALSO

nmap(1), masscan(8), tcpdump(1)

Copied to clipboard