123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229 |
- <!DOCTYPE html>
- <html>
- <head>
- <meta http-equiv='content-type' value='text/html;charset=utf8'>
- <meta name='generator' value='Ronn/v0.7.3 (http://github.com/rtomayko/ronn/tree/0.7.3)'>
- <title>zmap(1) - The Fast Internet Scanner</title>
- <style type='text/css' media='all'>
- /* style: man */
- body#manpage {margin:0}
- .mp {max-width:100ex;padding:0 9ex 1ex 4ex}
- .mp p,.mp pre,.mp ul,.mp ol,.mp dl {margin:0 0 20px 0}
- .mp h2 {margin:10px 0 0 0}
- .mp > p,.mp > pre,.mp > ul,.mp > ol,.mp > dl {margin-left:8ex}
- .mp h3 {margin:0 0 0 4ex}
- .mp dt {margin:0;clear:left}
- .mp dt.flush {float:left;width:8ex}
- .mp dd {margin:0 0 0 9ex}
- .mp h1,.mp h2,.mp h3,.mp h4 {clear:left}
- .mp pre {margin-bottom:20px}
- .mp pre+h2,.mp pre+h3 {margin-top:22px}
- .mp h2+pre,.mp h3+pre {margin-top:5px}
- .mp img {display:block;margin:auto}
- .mp h1.man-title {display:none}
- .mp,.mp code,.mp pre,.mp tt,.mp kbd,.mp samp,.mp h3,.mp h4 {font-family:monospace;font-size:14px;line-height:1.42857142857143}
- .mp h2 {font-size:16px;line-height:1.25}
- .mp h1 {font-size:20px;line-height:2}
- .mp {text-align:justify;background:#fff}
- .mp,.mp code,.mp pre,.mp pre code,.mp tt,.mp kbd,.mp samp {color:#131211}
- .mp h1,.mp h2,.mp h3,.mp h4 {color:#030201}
- .mp u {text-decoration:underline}
- .mp code,.mp strong,.mp b {font-weight:bold;color:#131211}
- .mp em,.mp var {font-style:italic;color:#232221;text-decoration:none}
- .mp a,.mp a:link,.mp a:hover,.mp a code,.mp a pre,.mp a tt,.mp a kbd,.mp a samp {color:#0000ff}
- .mp b.man-ref {font-weight:normal;color:#434241}
- .mp pre {padding:0 4ex}
- .mp pre code {font-weight:normal;color:#434241}
- .mp h2+pre,h3+pre {padding-left:0}
- ol.man-decor,ol.man-decor li {margin:3px 0 10px 0;padding:0;float:left;width:33%;list-style-type:none;text-transform:uppercase;color:#999;letter-spacing:1px}
- ol.man-decor {width:100%}
- ol.man-decor li.tl {text-align:left}
- ol.man-decor li.tc {text-align:center;letter-spacing:4px}
- ol.man-decor li.tr {text-align:right;float:right}
- </style>
- </head>
- <!--
- The following styles are deprecated and will be removed at some point:
- div#man, div#man ol.man, div#man ol.head, div#man ol.man.
- The .man-page, .man-decor, .man-head, .man-foot, .man-title, and
- .man-navigation should be used instead.
- -->
- <body id='manpage'>
- <div class='mp' id='man'>
- <div class='man-navigation' style='display:none'>
- <a href="#NAME">NAME</a>
- <a href="#SYNOPSIS">SYNOPSIS</a>
- <a href="#DESCRIPTION">DESCRIPTION</a>
- <a href="#OPTIONS">OPTIONS</a>
- </div>
- <ol class='man-decor man-head man head'>
- <li class='tl'>zmap(1)</li>
- <li class='tc'></li>
- <li class='tr'>zmap(1)</li>
- </ol>
- <h2 id="NAME">NAME</h2>
- <p class="man-name">
- <code>zmap</code> - <span class="man-whatis">The Fast Internet Scanner</span>
- </p>
- <h2 id="SYNOPSIS">SYNOPSIS</h2>
- <p>zmap [ -p <port> ] [ -o <outfile> ] [ OPTIONS... ] [ ip/hostname/range ]</p>
- <h2 id="DESCRIPTION">DESCRIPTION</h2>
- <p><em>ZMap</em> is a network tool for scanning the entire Internet (or large samples).
- ZMap is capable of scanning the entire Internet in around 45 minutes on a
- gigabit network connection, reaching ~98% theoretical line speed.</p>
- <h2 id="OPTIONS">OPTIONS</h2>
- <h3 id="BASIC-OPTIONS">BASIC OPTIONS</h3>
- <dl>
- <dt> <code>ip</code>/<code>hostname</code>/<code>range</code></dt><dd><p> IP addresses or DNS hostnames to scan. Accepts IP ranges in CIDR block
- notation. Defaults to 0.0.0/8</p></dd>
- <dt> <code>-p</code>, <code>--target-port=port</code></dt><dd><p> TCP or UDP port number to scan (for SYN scans and basic UDP scans)</p></dd>
- <dt> <code>-o</code>, <code>--output-file=name</code></dt><dd><p> When using an output module that uses a file, write results to this file.
- Use - for stdout.</p></dd>
- <dt> <code>-b</code>, <code>--blacklist-file=path</code></dt><dd><p> File of subnets to exclude, in CIDR notation, one-per line. It is
- recommended you use this to exclude RFC 1918 addresses, multicast, IANA
- reserved space, and other IANA special-purpose addresses. An example
- blacklist file <strong>blacklist.conf</strong> for this purpose.</p></dd>
- </dl>
- <h3 id="SCAN-OPTIONS">SCAN OPTIONS</h3>
- <dl>
- <dt> <code>-n</code>, <code>--max-targets=n</code></dt><dd><p> Cap the number of targets to probe. This can either be a number (e.g. -n
- 1000) or a percentage (e.g. -n 0.1%) of the scannable address space
- (after excluding blacklist)</p></dd>
- <dt> <code>-N</code>, <code>--max-results=n</code></dt><dd><p> Exit after receiving this many results</p></dd>
- <dt> <code>-t</code>, <code>--max-runtime=secs</code></dt><dd><p> Cap the length of time for sending packets</p></dd>
- <dt> <code>-r</code>, <code>--rate=pps</code></dt><dd><p> Set the send rate in packets/sec</p></dd>
- <dt> <code>-B</code>, <code>--bandwidth=bps</code></dt><dd><p> Set the send rate in bits/second (supports suffixes G, M, and K (e.g. -B
- 10M for 10 mbps). Thi s overrides the --rate flag.</p></dd>
- <dt> <code>-c</code>, <code>--cooldown-time=secs</code></dt><dd><p> How long to continue receiving after sending has completed (default=8)</p></dd>
- <dt> <code>-e</code>, <code>--seed=n</code></dt><dd><p> Seed used to select address permutation. Use this if you want to scan
- addresses in the same order for multiple ZMap runs.</p></dd>
- <dt> <code>--shards=N</code></dt><dd><p> Split the scan up into N shards/partitions among different instances of
- zmap (default=1). When sharding, <strong>--seed</strong> is required.</p></dd>
- <dt> <code>--shard=n</code></dt><dd><p> Set which shard to scan (default=0). Shards are 0-indexed in the range
- [0, N), where N is the total number of shards. When sharding
- <strong>--seed</strong> is required.</p></dd>
- <dt> <code>-T</code>, <code>--sender-threads=n</code></dt><dd><p> Threads used to send packets. ZMap will attempt to detect the optimal
- number of send threads based on the number of processor cores.</p></dd>
- <dt> <code>-P</code>, <code>--probes=n</code></dt><dd><p> Number of probes to send to each IP (default=1)</p></dd>
- <dt> <code>-d</code>, <code>--dryrun</code></dt><dd><p> Print out each packet to stdout instead of sending it (useful for
- debugging)</p></dd>
- </dl>
- <h3 id="NETWORK-OPTIONS">NETWORK OPTIONS</h3>
- <dl>
- <dt> <code>-s</code>, <code>--source-port=port|range</code></dt><dd><p> Source port(s) to send packets from</p></dd>
- <dt> <code>-S</code>, <code>--source-ip=ip|range</code></dt><dd><p> Source address(es) to send packets from. Either single IP or range (e.g.
- 10.0.0.1-10.0.0.9)</p></dd>
- <dt> <code>-G</code>, <code>--gateway-mac=addr</code></dt><dd><p> Gateway MAC address to send packets to (in case auto-detection does not
- work)</p></dd>
- <dt> <code>-i</code>, <code>--interface=name</code></dt><dd><p> Network interface to use</p></dd>
- </dl>
- <h3 id="PROBE-OPTIONS">PROBE OPTIONS</h3>
- <p>ZMap allows users to specify and write their own probe modules. Probe modules
- are responsible for generating probe packets to send, and processing responses
- from hosts.</p>
- <dl>
- <dt> <code>--list-probe-modules</code></dt><dd><p> List available probe modules (e.g. tcp_synscan)</p></dd>
- <dt> <code>-M</code>, <code>--probe-module=name</code></dt><dd><p> Select probe module (default=tcp_synscan)</p></dd>
- <dt> <code>--probe-args=args</code></dt><dd><p> Arguments to pass to probe module</p></dd>
- <dt> <code>--list-output-fields</code></dt><dd><p> List the fields the selected probe module can send to the output module</p></dd>
- </dl>
- <h3 id="OUTPUT-OPTIONS">OUTPUT OPTIONS</h3>
- <p>ZMap allows users to specify and write their own output modules for use with
- ZMap. Output modules are responsible for processing the fieldsets returned by
- the probe module, and outputing them to the user. Users can specify output
- fields, and write filters over the output fields.</p>
- <dl>
- <dt> <code>--list-output-modules</code></dt><dd><p> List available output modules (e.g. tcp_synscan)</p></dd>
- <dt> <code>-O</code>, <code>--output-module=name</code></dt><dd><p> Select output module (default=csv)</p></dd>
- <dt> <code>--output-args=args</code></dt><dd><p> Arguments to pass to output module</p></dd>
- <dt> <code>-f</code>, <code>--output-fields=fields</code></dt><dd><p> Comma-separated list of fields to output</p></dd>
- <dt> <code>--output-filter</code></dt><dd><p> Specify an output filter over the fields defined by the probe module. See
- the output filter section for more details.</p></dd>
- </dl>
- <h3 id="ADDITIONAL-OPTIONS">ADDITIONAL OPTIONS</h3>
- <dl>
- <dt> <code>-C</code>, <code>--config=filename</code></dt><dd><p> Read a configuration file, which can specify any other options.</p></dd>
- <dt> <code>-q</code>, <code>--quiet</code></dt><dd><p> Do not print status updates once per second</p></dd>
- <dt> <code>-g</code>, <code>--summary</code></dt><dd><p> Print configuration and summary of results at the end of the scan</p></dd>
- <dt> <code>-v</code>, <code>--verbosity=n</code></dt><dd><p> Level of log detail (0-5, default=3)</p></dd>
- <dt> <code>-h</code>, <code>--help</code></dt><dd><p> Print help and exit</p></dd>
- <dt> <code>-V</code>, <code>--version</code></dt><dd><p> Print version and exit</p></dd>
- </dl>
- <h3 id="UDP-PROBE-MODULE-OPTIONS">UDP PROBE MODULE OPTIONS</h3>
- <p>These arguments are all passed using the <code>--probe-args=args</code> option. Only one
- argument may be passed at a time.</p>
- <dl>
- <dt> <code>file:/path/to/file</code></dt><dd><p> Path to payload file to send to each host over UDP.</p></dd>
- <dt> <code>template:/path/to/template</code></dt><dd><p> Path to template file. For each destination host, the template file is
- populated, set as the UDP payload, and sent.</p></dd>
- <dt> <code>text:<text></code></dt><dd><p> ASCII text to send to each destination host</p></dd>
- <dt> <code>hex:<hex></code></dt><dd><p>Hex-encoded binary to send to each destination host</p></dd>
- <dt> <code>template-fields</code></dt><dd><p> Print information about the allowed template fields and exit.</p></dd>
- </dl>
- <h3 id="OUPUT-FILTERS">OUPUT FILTERS</h3>
- <p>Results generated by a probe module can be filtered before being passed to the
- output module. Filters are defined over the output fields of a probe module.
- Filters are written in a simple filtering language, similar to SQL, and are
- passed to ZMap using the <code>--output-filter</code> option. Output filters are commonly
- used to filter out duplicate results, or to only pass only sucessful responses
- to the output module.</p>
- <p>Filter expressions are of the form <code><fieldname> <operation> <value></code>. The type of
- <code><value></code> must be either a string or unsigned integer literal, and match the type
- of <code><fieldname></code>. The valid operations for integer comparisons are = !=, <var>, </var>,
- <var>=, </var>=. The operations for string comparisons are =, !=. The
- <code>--list-output-fields</code> flag will print what fields and types are available for
- the selected probe module, and then exit.</p>
- <p>Compound filter expressions may be constructed by combining filter expressions
- using parenthesis to specify order of operations, the && (logical AND) and ||
- (logical OR) operators.</p>
- <p>For example, a filter for only successful, non-duplicate responses would be
- written as: <code>--output-filter="success = 1 && repeat = 0"</code></p>
- <ol class='man-decor man-foot man foot'>
- <li class='tl'></li>
- <li class='tc'>June 2015</li>
- <li class='tr'>zmap(1)</li>
- </ol>
- </div>
- </body>
- </html>
|