ZMap 1.2.1 - The Internet Scanner


ZMap is an open-source network scanner that enables researchers to easily perform Internet-wide network studies. With a single machine and a well provisioned network uplink, ZMap is capable of performing a complete scan of the IPv4 address space in under 45 minutes, approaching the theoretical limit of gigabit Ethernet.

ZMap can be used to study protocol adoption over time, monitor service availability, and help us better understand large systems distributed across the Internet.

While ZMap is a powerful tool for researchers, please keep in mind that by running ZMap, you are potentially scanning the ENTIRE IPv4 address space and some users may not appreciate your scanning. 

Command Line Arguments

Common Options

These options are the most common options when performing a simple scan. We note that some options are dependent on the probe module or output module used (e.g. target port is not used when performing an ICMP Echo Scan).
-p, --target-port=port
TCP port number to scan (e.g. 443)
-o, --output-file=name
Write results to this file. Use - for stdout
-b, --blacklist-file=path
File of subnets to exclude, in CIDR notation (e.g. 192.168.0.0/16), one-per line. It is recommended you use this to exclude RFC 1918 addresses, multicast, IANA reserved space, and other IANA special-purpose addresses. An example blacklist file is provided in conf/blacklist.example for this purpose.

Scan Options

-n, --max-targets=n
Cap the number of targets to probe. This can either be a number (e.g. -n 1000) or a percentage (e.g. -n 0.1%) of the scannable address space (after excluding blacklist)
-N, --max-results=n
Exit after receiving this many results
-t, --max-runtime=secs
Cap the length of time for sending packets
-r, --rate=pps
Set the send rate in packets/sec
-B, --bandwidth=bps
Set the send rate in bits/second (supports suffixes G, M, and K (e.g. -B 10M for 10 mbps). This overrides the --rate flag.
-c, --cooldown-time=secs
How long to continue receiving after sending has completed (default=8)
-e, --seed=n
Seed used to select address permutation. Use this if you want to scan addresses in the same order for multiple ZMap runs.
--shards=n
Split the scan up into N shards/partitions among different instances of zmap (default=1). When sharding, --seed is required
--shard=n
Set which shard to scan (default=0). Shards are indexed in the range [0, N), where N is the total number of shards. When sharding --seed is required.
-T, --sender-threads=n
Threads used to send packets (default=1)
-P, --probes=n
Number of probes to send to each IP (default=1)
-d, --dryrun
Print out each packet to stdout instead of sending it (useful for debugging)

Network Options

-s, --source-port=port|range
Source port(s) to send packets from
-S, --source-ip=ip|range
Source address(es) to send packets from. Either single IP or range (e.g. 10.0.0.1-10.0.0.9)
-G, --gateway-mac=addr
Gateway MAC address to send packets to (in case auto-detection does not work)
-i, --interface=name
Network interface to use

Probe Options

ZMap allows users to specify and write their own probe modules for use with ZMap. Probe modules are responsible for generating probe packets to send, and processing responses from hosts.
--list-probe-modules
List available probe modules (e.g. tcp_synscan)
-M, --probe-module=name
Select probe module (default=tcp_synscan)
--probe-args=args
Arguments to pass to probe module
--list-output-fields
List the fields the selected probe module can send to the output module

Output Options

ZMap allows users to specify and write their own output modules for use with ZMap. Output modules are responsible for processing the fieldsets returned by the probe module, and outputing them to the user. Users can specify output fields, and write filters over the output fields.
--list-output-modules
List available output modules (e.g. tcp_synscan)
-O, --output-module=name
Select output module (default=csv)
--output-args=args
Arguments to pass to output module
-f, --output-fields=fields
Comma-separated list of fields to output
--output-filter
Specify an output filter over the fields defined by the probe module

Additional Options

-C, --config=filename
Read a configuration file, which can specify any other options.
-q, --quiet
Do not print status updates once per second
-g, --summary
Print configuration and summary of results at the end of the scan
-v, --verbosity=n
Level of log detail (0-5, default=3)
-h, --help
Print help and exit
-V, --version
Print version and exit