This option specifies which ports you want to scan and
overrides the default. Individual port numbers are OK, as
are ranges separated by a hyphen (e.g. 1-1023). The
beginning and/or end values of a range may be omitted,
causing Nmap to use 1 and 65535, respectively. So you can
specify -p-
to scan ports from 1 through
65535. Scanning port zero is allowed if you specify it
explicitly. For IP protocol scanning (-sO
), this option
specifies the protocol numbers you wish to scan for
(0-255).
When scanning both TCP and UDP ports, you can specify
a particular protocol by preceding the port numbers by T:
or U:
. The qualifier lasts until you specify another
qualifier. For example, the argument -p
U:53,111,137,T:21-25,80,139,8080
would scan UDP
ports 53,111,and 137, as well as the listed TCP ports. Note
that to scan both UDP & TCP, you have to specify
-sU
and at least one TCP scan type (such as
-sS
, -sF
, or
-sT
). If no protocol qualifier is given,
the port numbers are added to all protocol lists.
Ports can also be specified by name according to what the
port is referred to in the nmap-services
. You
can even use the wildcards * and ? with the names. For example, to scan
FTP and all ports whose names begin with http, use -p ftp,http*
.
Be careful about shell expansions and quote the argument to -p
if unsure.
Ranges of ports can be surrounded by square brackets to indicate
ports inside that range that appear in nmap-services
.
For example, the following will scan all ports in nmap-services
equal to or below 1024: -p [-1024]
. Be careful with shell
expansions and quote the argument to -p
if unsure.