zmap - The Fast Internet Scanner
zmap [ -p <port> ] [ -o <outfile> ] [ OPTIONS... ] [ ip/hostname/range ]
ZMap is a network tool for scanning the entire Internet (or large samples). ZMap is capable of scanning the entire Internet in around 45 minutes on a gigabit network connection, reaching ~98% theoretical line speed.
ip/hostname/rangeIP addresses or DNS hostnames to scan. Accepts IP ranges in CIDR block notation. Defaults to 0.0.0/8
-p, --target-port=portTCP or UDP port number to scan (for SYN scans and basic UDP scans)
-o, --output-file=nameWhen using an output module that uses a file, write results to this file. Use - for stdout.
-b, --blacklist-file=pathFile of subnets to exclude, in CIDR notation, one-per line. It is recommended you use this to exclude RFC 1918 addresses, multicast, IANA reserved space, and other IANA special-purpose addresses. An example blacklist file blacklist.conf for this purpose.
-n, --max-targets=nCap the number of targets to probe. This can either be a number (e.g. -n 1000) or a percentage (e.g. -n 0.1%) of the scannable address space (after excluding blacklist)
-N, --max-results=nExit after receiving this many results
-t, --max-runtime=secsCap the length of time for sending packets
-r, --rate=ppsSet the send rate in packets/sec
-B, --bandwidth=bpsSet the send rate in bits/second (supports suffixes G, M, and K (e.g. -B 10M for 10 mbps). Thi s overrides the --rate flag.
-c, --cooldown-time=secsHow long to continue receiving after sending has completed (default=8)
-e, --seed=nSeed used to select address permutation. Use this if you want to scan addresses in the same order for multiple ZMap runs.
--shards=NSplit the scan up into N shards/partitions among different instances of zmap (default=1). When sharding, --seed is required.
--shard=nSet which shard to scan (default=0). Shards are 0-indexed in the range [0, N), where N is the total number of shards. When sharding --seed is required.
-T, --sender-threads=nThreads used to send packets. ZMap will attempt to detect the optimal number of send threads based on the number of processor cores.
-P, --probes=nNumber of probes to send to each IP (default=1)
-d, --dryrunPrint out each packet to stdout instead of sending it (useful for debugging)
-s, --source-port=port|rangeSource port(s) to send packets from
-S, --source-ip=ip|rangeSource address(es) to send packets from. Either single IP or range (e.g. 10.0.0.1-10.0.0.9)
-G, --gateway-mac=addrGateway MAC address to send packets to (in case auto-detection does not work)
-i, --interface=nameNetwork interface to use
ZMap allows users to specify and write their own probe modules. Probe modules are responsible for generating probe packets to send, and processing responses from hosts.
--list-probe-modulesList available probe modules (e.g. tcp_synscan)
-M, --probe-module=nameSelect probe module (default=tcp_synscan)
--probe-args=argsArguments to pass to probe module
--list-output-fieldsList the fields the selected probe module can send to the output module
ZMap allows users to specify and write their own output modules for use with ZMap. Output modules are responsible for processing the fieldsets returned by the probe module, and outputing them to the user. Users can specify output fields, and write filters over the output fields.
--list-output-modulesList available output modules (e.g. tcp_synscan)
-O, --output-module=nameSelect output module (default=csv)
--output-args=argsArguments to pass to output module
-f, --output-fields=fieldsComma-separated list of fields to output
--output-filterSpecify an output filter over the fields defined by the probe module
-C, --config=filenameRead a configuration file, which can specify any other options.
-q, --quietDo not print status updates once per second
-g, --summaryPrint configuration and summary of results at the end of the scan
-v, --verbosity=nLevel of log detail (0-5, default=3)
-h, --helpPrint help and exit
-V, --versionPrint version and exit