Nmap (Network Mapper) discovers hosts, open ports, running services, and operating system details across your network. Security professionals use it for penetration testing and vulnerability assessments, while system administrators rely on it for network inventory and troubleshooting connectivity issues. Whether you need to verify that firewall rules are blocking the right ports, identify unauthorized devices on your network, or audit which services are exposed to the internet, Nmap provides the scanning capabilities to accomplish these tasks. By the end of this guide, you will have Nmap installed on your Arch Linux system with the knowledge to perform network discovery, service enumeration, and basic security assessments from the command line. This guide also covers Zenmap, the optional graphical frontend, for users who prefer visual network topology mapping.
Install Nmap on Arch Linux
Update the System
Synchronize the package databases and update all installed packages to ensure you install the latest available version and avoid dependency conflicts:
sudo pacman -SyuThis command refreshes your local package database and applies any pending updates. On a rolling release like Arch, regular updates are essential before installing new software.
Install Nmap via Pacman
Install Nmap from the official Arch Linux repositories:
sudo pacman -S nmapPacman downloads and installs Nmap along with its dependencies, including Lua for the NSE (Nmap Scripting Engine) and supporting tools like Ncat and Nping.
Verify the Installation
After installation completes, verify that Nmap is working correctly by checking the installed version:
nmap --versionExpected output:
Nmap version 7.98 ( https://nmap.org ) Platform: x86_64-pc-linux-gnu Compiled with: liblua-5.4.8 openssl-3.6.1 libssh2-1.11.1 libz-1.3.1 libpcre2-10.47 libpcap-1.10.6 nmap-libdnet-1.18.0 ipv6 Compiled without: Available nsock engines: epoll poll select
Because Arch Linux is a rolling release, the version shown above reflects the current package at the time of writing. Your installation will include the latest version available in the repositories.
Optional: Install Zenmap (GUI Frontend)
For users who prefer a graphical interface, Zenmap provides a visual frontend for Nmap with scan result visualization, profile management, and network topology mapping. Zenmap lets you save scan configurations as reusable profiles and compare results between scans to identify changes over time:
sudo pacman -S zenmapThis installs Zenmap along with its Python and GTK dependencies. After installation, verify it launches correctly:
zenmap --versionExpected output:
zenmap 7.98
Launch Zenmap from your application menu or run zenmap from the terminal. Certain scan types (SYN scans, OS detection) require root privileges, so run with sudo zenmap when you need full functionality.
This guide focuses on command-line usage. Zenmap is optional and provides the same scanning capabilities as the CLI with a graphical interface for visualization and profile management.
Nmap Commands and Usage
Understanding Nmap’s core commands helps you leverage its full scanning capabilities. For a comprehensive guide covering more scan types, timing templates, and NSE scripts, see our Nmap Commands for Beginners guide.
Port State Definitions
When scanning for open ports, Nmap reports the state of each port it probes. Understanding these states helps you interpret scan results accurately:
| Port State | Description |
|---|---|
| Open | An application is actively accepting TCP connections, UDP datagrams, or SCTP associations on this port. |
| Closed | The port is accessible (it receives and responds to Nmap probe packets), but there is no application listening on it. |
| Filtered | Nmap cannot determine whether the port is open because packet filtering prevents its probes from reaching the port. Firewalls or router rules may be blocking the probes. |
| Unfiltered | The port is accessible, but Nmap is unable to determine whether it is open or closed. Only the ACK scan reports ports in this state. |
| Open|Filtered | Nmap places ports in this state when it is unable to determine whether a port is open or filtered. This occurs for scan types in which open ports give no response. |
| Closed|Filtered | This state is used when Nmap is unable to determine whether a port is closed or filtered. It is only used for the IP ID idle scan. |
Basic Scanning Commands
The following fundamental commands cover the most common scanning scenarios.
Scan a Single Host
To scan a host by IP address or domain name:
nmap 192.168.1.1
nmap example.comFor a quick scan of the most common 100 ports, use the -F (fast) flag:
nmap -F 192.168.1.1To scan your local machine:
nmap localhostExample output from a localhost scan (your results will vary based on running services):
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-05 10:30 UTC Nmap scan report for localhost (127.0.0.1) Host is up (0.0000040s latency). Other addresses for localhost (not scanned): ::1 Not shown: 999 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds
A minimal Arch installation with SSH enabled shows only port 22. Desktop systems may show additional ports for CUPS printing (631), Avahi (5353), or other local services. If no services are running, all 1000 default ports appear as closed.
Scan a Network Range
Use CIDR notation to scan an entire subnet:
nmap 192.168.1.0/24This scans all 256 addresses in the range (192.168.1.0 through 192.168.1.255). You can also use ranges and commas:
nmap 192.168.1.1-50
nmap 192.168.1.1,10,20,30Host Discovery (Ping Scan)
To discover which hosts are online without port scanning, use the -sn flag:
nmap -sn 192.168.1.0/24This sends ping probes to each address and reports which hosts responded, which is useful for network inventory before detailed scanning.
Operating System Detection
The -O flag enables OS detection, while --osscan-guess provides more aggressive guessing when exact matches are not found:
sudo nmap -O --osscan-guess 192.168.1.1OS detection requires root privileges because it uses raw socket access. Without
sudo, this scan will fail.
Scan Specific Ports
Use the -p flag to scan specific ports or port ranges:
nmap -p 22,80,443,8080 192.168.1.1
nmap -p 1-1000 192.168.1.1
nmap -p- 192.168.1.1The -p- option scans all 65,535 ports, which takes significantly longer but provides complete coverage.
Service Version Detection
The -sV flag probes open ports to determine service names and version information:
nmap -sV 192.168.1.1Example output showing version information:
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.6 (protocol 2.0) 80/tcp open http nginx 1.26.3 443/tcp open ssl/http nginx 1.26.3
TCP SYN Scan (Stealth Scan)
The SYN scan (-sS) is the default and most popular scan type. It is fast and relatively stealthy because it never completes TCP connections:
sudo nmap -sS 192.168.1.1SYN scans require root privileges because they send raw packets directly rather than using the operating system’s TCP stack.
UDP Scan
UDP services like DNS, SNMP, and DHCP do not appear in TCP scans. Use -sU to scan UDP ports:
sudo nmap -sU -p 53,67,123,161 192.168.1.1UDP scans are slower than TCP scans because UDP does not acknowledge received packets. Limiting the port range speeds up the scan.
Aggressive Scan
The -A flag enables OS detection, version detection, script scanning, and traceroute in a single command:
sudo nmap -A 192.168.1.1This scan provides the most comprehensive results but is also the most detectable and takes longer to complete.
Output Formats
Save scan results to files for later analysis or processing:
nmap -oN output.txt 192.168.1.1
nmap -oX output.xml 192.168.1.1
nmap -oG output.gnmap 192.168.1.1
nmap -oA output 192.168.1.1The -oN flag saves normal output, -oX saves XML for parsing with other tools, -oG saves grepable output, and -oA saves all three formats simultaneously with the specified base filename.
View All Options
Nmap includes extensive built-in documentation. To see all available options and flags:
nmap --helpFor detailed documentation on specific topics, consult the man page:
man nmapTroubleshooting Common Issues
Permission Denied During Scanning
Certain scan types (SYN scan, OS detection, UDP scans) require raw socket access and must run with root privileges:
# This fails without root:
nmap -sS 192.168.1.1TCP SYN Stealth Scan requires root privileges.
Run with sudo to resolve:
sudo nmap -sS 192.168.1.1Connect scans (-sT) work without root privileges but are slower and more detectable.
Host Seems Down (But Is Not)
If Nmap reports a host as down when you know it is online, the host may be blocking ping probes. Disable host discovery to scan anyway:
nmap -Pn 192.168.1.1The -Pn flag skips the ping check and proceeds directly to port scanning.
Scans Taking Too Long
Large network scans or full port scans can take considerable time. Speed up scans with timing templates:
nmap -T4 192.168.1.0/24Timing templates range from -T0 (paranoid) to -T5 (insane). -T4 is aggressive but usually safe on modern networks, while -T3 is the default.
Other speed optimizations include skipping DNS resolution with -n and limiting the port range with -F:
nmap -T4 -n -F 192.168.1.0/24All Ports Showing as Filtered
If every port shows as filtered, a firewall is likely blocking your probes. Try different scan techniques:
sudo nmap -sA 192.168.1.1
sudo nmap -sF 192.168.1.1
sudo nmap -sW 192.168.1.1ACK scans (-sA) can sometimes bypass stateless firewalls, while FIN scans (-sF) and Window scans (-sW) may slip through packet filters that only block SYN packets.
Package Installation Issues
If pacman cannot locate the nmap package, your package database may be out of sync:
sudo pacman -SyuThen retry the installation. If issues persist, verify the package exists in the repositories:
pacman -Ss nmapExpected output:
extra/nmap 7.98-4
Utility for network discovery and security auditing
extra/zenmap 7.98-4
Graphical Nmap frontend and results viewer
If the package appears but still fails to install, try clearing the package cache and refreshing the mirrorlist:
sudo pacman -Sc
sudo pacman -SyyuRemove Nmap from Arch Linux
If you no longer need Nmap, remove it along with any orphaned dependencies:
sudo pacman -Rns nmapThe -R flag removes the package, -n removes backup configuration files, and -s removes orphaned dependencies that were installed with Nmap but are no longer needed by other packages.
To verify successful removal:
command -v nmapIf Nmap was removed successfully, this command returns no output.
If you also installed Zenmap, remove it separately:
sudo pacman -Rns zenmapFrequently Asked Questions
Scanning networks you own or have explicit permission to test is legal. Scanning networks without authorization is illegal in many jurisdictions and can result in serious legal consequences. Always obtain written permission before scanning networks you do not own or control.
Certain scan types (SYN, UDP, OS detection) require raw socket access to craft custom packets at the network layer. Linux restricts raw socket access to root for security reasons. Connect scans (-sT) use the standard socket API and work without root, but they are slower and more detectable.
SYN scans (-sS) send a SYN packet and analyze the response without completing the TCP handshake, making them faster and stealthier. Connect scans (-sT) complete the full TCP three-way handshake, which is logged by most applications but does not require root privileges.
Arch Linux is a rolling release that typically packages new Nmap versions within days of their upstream release. Run sudo pacman -Syu regularly to receive the latest version along with your other system updates.
The Arch nmap package includes several companion utilities: Ncat for network connections and data transfer, Nping for packet generation and response analysis, and Ndiff for comparing scan results. The Nmap Scripting Engine (NSE) with over 600 scripts is also included for vulnerability detection and network discovery.
Yes. Use the -6 flag to enable IPv6 scanning. For example, nmap -6 ::1 scans localhost over IPv6. Most scan types work identically for IPv6, though OS detection has fewer fingerprints available compared to IPv4.
Additional Resources
- Nmap Official Website – Downloads, documentation, and the Nmap Network Scanning book
- ArchWiki Nmap Page – Arch-specific configuration and usage notes
- Nmap Network Scanning Book – The official guide by Nmap’s creator, available free online
Conclusion
You now have Nmap installed on Arch Linux with the core techniques for network scanning: host discovery with -sn, service detection with -sV, OS fingerprinting with -O, and output saving with -oA. These capabilities let you audit firewall configurations, inventory network devices, and identify exposed services across your infrastructure.
For production security work, pair Nmap with defensive tools. Configure firewalld on Arch Linux to lock down systems you have scanned, or set up UFW on Arch Linux for a simpler firewall interface. To secure remote access on systems you have audited, see our guide on installing OpenSSH on Arch Linux.