ZMap 1.2.1 - The Internet Scanner

ZMap is an open-source network scanner that enables researchers to easily perform Internet-wide network studies. With a single machine and a well provisioned network uplink, ZMap is capable of performing a complete scan of the IPv4 address space in under 45 minutes, approaching the theoretical limit of gigabit Ethernet.

ZMap can be used to study protocol adoption over time, monitor service availability, and help us better understand large systems distributed across the Internet.

While ZMap is a powerful tool for researchers, please keep in mind that by running ZMap, you are potentially scanning the ENTIRE IPv4 address space and some users may not appreciate your scanning. 

Command Line Arguments

Common Options

These options are the most common options when performing a simple scan. We note that some options are dependent on the probe module or output module used (e.g. target port is not used when performing an ICMP Echo Scan).

-p, --target-port=port

TCP port number to scan (e.g. 443)

-o, --output-file=name

Write results to this file. Use - for stdout

-b, --blacklist-file=path

File of subnets to exclude, in CIDR notation (e.g. 192.168.0.0/16), one-per line. It is recommended you use this to exclude RFC 1918 addresses, multicast, IANA reserved space, and other IANA special-purpose addresses. An example blacklist file is provided in conf/blacklist.example for this purpose.

Scan Options

-n, --max-targets=n

Cap the number of targets to probe. This can either be a number (e.g. -n 1000) or a percentage (e.g. -n 0.1%) of the scannable address space (after excluding blacklist)

-N, --max-results=n

Exit after receiving this many results

-t, --max-runtime=secs

Cap the length of time for sending packets

-r, --rate=pps

Set the send rate in packets/sec

-B, --bandwidth=bps

Set the send rate in bits/second (supports suffixes G, M, and K (e.g. -B 10M for 10 mbps). This overrides the --rate flag.

-c, --cooldown-time=secs

How long to continue receiving after sending has completed (default=8)

-e, --seed=n

Seed used to select address permutation. Use this if you want to scan addresses in the same order for multiple ZMap runs.

--shards=n

Split the scan up into N shards/partitions among different instances of zmap (default=1). When sharding, --seed is required

--shard=n

Set which shard to scan (default=0). Shards are indexed in the range [0, N), where N is the total number of shards. When sharding --seed is required.

-T, --sender-threads=n

Threads used to send packets (default=1)

-P, --probes=n

Number of probes to send to each IP (default=1)

-d, --dryrun

Print out each packet to stdout instead of sending it (useful for debugging)

Network Options

-s, --source-port=port|range

Source port(s) to send packets from

-S, --source-ip=ip|range

Source address(es) to send packets from. Either single IP or range (e.g. 10.0.0.1-10.0.0.9)

-G, --gateway-mac=addr

Gateway MAC address to send packets to (in case auto-detection does not work)

-i, --interface=name

Network interface to use

Probe Options

ZMap allows users to specify and write their own probe modules for use with ZMap. Probe modules are responsible for generating probe packets to send, and processing responses from hosts.

--list-probe-modules

List available probe modules (e.g. tcp_synscan)

-M, --probe-module=name

Select probe module (default=tcp_synscan)

--probe-args=args

Arguments to pass to probe module

--list-output-fields

List the fields the selected probe module can send to the output module

Output Options

ZMap allows users to specify and write their own output modules for use with ZMap. Output modules are responsible for processing the fieldsets returned by the probe module, and outputing them to the user. Users can specify output fields, and write filters over the output fields.

--list-output-modules

List available output modules (e.g. tcp_synscan)

-O, --output-module=name

Select output module (default=csv)

--output-args=args

Arguments to pass to output module

-f, --output-fields=fields

Comma-separated list of fields to output

--output-filter

Specify an output filter over the fields defined by the probe module

Additional Options

-C, --config=filename

Read a configuration file, which can specify any other options.

-q, --quiet

Do not print status updates once per second

-g, --summary

Print configuration and summary of results at the end of the scan

-v, --verbosity=n

Level of log detail (0-5, default=3)

-h, --help

Print help and exit

-V, --version

Print version and exit

Download ZMap 1.2.1