zmap(1) - f35

1ZMAP(1)                              zmap                              ZMAP(1)
2
3
4

NAME

6       zmap - The Fast Internet Scanner
7

SYNOPSIS

9       zmap  [ -p <port> ] [ -o <outfile> ] [ OPTIONS... ] [ ip/hostname/range
10       ]
11

DESCRIPTION

13       ZMap is a network tool for scanning the entire Internet (or large  sam‐
14       ples).  ZMap  is  capable  of scanning the entire Internet in around 45
15       minutes on a gigabit network connection, reaching ~98% theoretical line
16       speed.
17

OPTIONS

19   BASIC OPTIONS
20       ip/hostname/range
21              IP addresses or DNS hostnames to scan. Accepts IP ranges in CIDR
22              block notation. Defaults to 0.0.0/8
23
24       -p, --target-port=port
25              TCP or UDP port number to scan (for  SYN  scans  and  basic  UDP
26              scans)
27
28       -o, --output-file=name
29              When  using  an output module that uses a file, write results to
30              this file. Use - for stdout.
31
32       -b, --blacklist-file=path
33              File of subnets to exclude, in CIDR notation, one-per  line.  It
34              is  recommended you use this to exclude RFC 1918 addresses, mul‐
35              ticast, IANA reserved  space,  and  other  IANA  special-purpose
36              addresses.  An  example  blacklist  file blacklist.conf for this
37              purpose.
38
39   SCAN OPTIONS
40       -n, --max-targets=n
41              Cap the number of targets to probe. This can either be a  number
42              (e.g.  -n  1000) or a percentage (e.g. -n 0.1%) of the scannable
43              address space (after excluding blacklist)
44
45       -N, --max-results=n
46              Exit after receiving this many results
47
48       -t, --max-runtime=secs
49              Cap the length of time for sending packets
50
51       -r, --rate=pps
52              Set the send rate in packets/sec
53
54       -B, --bandwidth=bps
55              Set the send rate in bits/second (supports suffixes G, M, and  K
56              (e.g. -B 10M for 10 mbps). Thi s overrides the --rate flag.
57
58       -c, --cooldown-time=secs
59              How  long  to  continue  receiving  after  sending has completed
60              (default=8)
61
62       -e, --seed=n
63              Seed used to select address permutation. Use this if you want to
64              scan addresses in the same order for multiple ZMap runs.
65
66       --shards=N
67              Split  the  scan  up  into  N  shards/partitions among different
68              instances  of  zmap  (default=1).  When  sharding,   --seed   is
69              required.
70
71       --shard=n
72              Set which shard to scan (default=0). Shards are 0-indexed in the
73              range [0, N), where N is the total number of shards. When shard‐
74              ing --seed is required.
75
76       -T, --sender-threads=n
77              Threads  used  to  send packets. ZMap will attempt to detect the
78              optimal number of send threads based on the number of  processor
79              cores.
80
81       -P, --probes=n
82              Number of probes to send to each IP (default=1)
83
84       -d, --dryrun
85              Print  out  each  packet to stdout instead of sending it (useful
86              for debugging)
87
88   NETWORK OPTIONS
89       -s, --source-port=port|range
90              Source port(s) to send packets from
91
92       -S, --source-ip=ip|range
93              Source address(es) to send packets from.  Either  single  IP  or
94              range (e.g. 10.0.0.1-10.0.0.9)
95
96       -G, --gateway-mac=addr
97              Gateway  MAC  address to send packets to (in case auto-detection
98              does not work)
99
100       -i, --interface=name
101              Network interface to use
102
103   PROBE OPTIONS
104       ZMap allows users to specify and write their own probe  modules.  Probe
105       modules  are responsible for generating probe packets to send, and pro‐
106       cessing responses from hosts.
107
108       --list-probe-modules
109              List available probe modules (e.g. tcp_synscan)
110
111       -M, --probe-module=name
112              Select probe module (default=tcp_synscan)
113
114       --probe-args=args
115              Arguments to pass to probe module
116
117       --list-output-fields
118              List the fields the selected probe module can send to the output
119              module
120
121   OUTPUT OPTIONS
122       ZMap allows users to specify and write their own output modules for use
123       with ZMap. Output modules are responsible for processing the  fieldsets
124       returned by the probe module, and outputing them to the user. Users can
125       specify output fields, and write filters over the output fields.
126
127       --list-output-modules
128              List available output modules (e.g. tcp_synscan)
129
130       -O, --output-module=name
131              Select output module (default=csv)
132
133       --output-args=args
134              Arguments to pass to output module
135
136       -f, --output-fields=fields
137              Comma-separated list of fields to output
138
139       --output-filter
140              Specify an output filter over the fields defined  by  the  probe
141              module. See the output filter section for more details.
142
143   ADDITIONAL OPTIONS
144       -C, --config=filename
145              Read a configuration file, which can specify any other options.
146
147       -q, --quiet
148              Do not print status updates once per second
149
150       -g, --summary
151              Print  configuration  and  summary  of results at the end of the
152              scan
153
154       -v, --verbosity=n
155              Level of log detail (0-5, default=3)
156
157       -h, --help
158              Print help and exit
159
160       -V, --version
161              Print version and exit
162
163   UDP PROBE MODULE OPTIONS
164       These arguments are all passed using the --probe-args=args option. Only
165       one argument may be passed at a time.
166
167       file:/path/to/file
168              Path to payload file to send to each host over UDP.
169
170       template:/path/to/template
171              Path  to  template file. For each destination host, the template
172              file is populated, set as the UDP payload, and sent.
173
174       text:<text>
175              ASCII text to send to each destination host
176
177       hex:<hex>
178              Hex-encoded binary to send to each destination host
179
180       template-fields
181              Print information about the allowed template fields and exit.
182
183   OUPUT FILTERS
184       Results generated by a probe module can be filtered before being passed
185       to  the  output module. Filters are defined over the output fields of a
186       probe module. Filters are written in a simple filtering language, simi‐
187       lar  to  SQL,  and are passed to ZMap using the --output-filter option.
188       Output filters are commonly used to filter out duplicate results, or to
189       only pass only sucessful responses to the output module.
190
191       Filter expressions are of the form <fieldname> <operation> <value>. The
192       type of <value> must be either a string or  unsigned  integer  literal,
193       and  match  the  type  of <fieldname>. The valid operations for integer
194       comparisons are = !=, ,, =,=. The operations for string comparisons are
195       =,  !=.  The --list-output-fields flag will print what fields and types
196       are available for the selected probe module, and then exit.
197
198       Compound filter expressions may  be  constructed  by  combining  filter
199       expressions  using  parenthesis  to specify order of operations, the &&
200       (logical AND) and || (logical OR) operators.
201
202       For example, a filter  for  only  successful,  non-duplicate  responses
203       would be written as: --output-filter="success = 1 && repeat = 0"
204
205
206
207zmap v2.1.1                     September 2015                         ZMAP(1)