PREPARE/zmap/src/zmap.1.html

<!DOCTYPE html>
<html>
<head>
  <meta http-equiv='content-type' value='text/html;charset=utf8'>
  <meta name='generator' value='Ronn/v0.7.3 (http://github.com/rtomayko/ronn/tree/0.7.3)'>
  <title>zmap(1) - The Fast Internet Scanner</title>
  <style type='text/css' media='all'>
  /* style: man */
  body#manpage {margin:0}
  .mp {max-width:100ex;padding:0 9ex 1ex 4ex}
  .mp p,.mp pre,.mp ul,.mp ol,.mp dl {margin:0 0 20px 0}
  .mp h2 {margin:10px 0 0 0}
  .mp > p,.mp > pre,.mp > ul,.mp > ol,.mp > dl {margin-left:8ex}
  .mp h3 {margin:0 0 0 4ex}
  .mp dt {margin:0;clear:left}
  .mp dt.flush {float:left;width:8ex}
  .mp dd {margin:0 0 0 9ex}
  .mp h1,.mp h2,.mp h3,.mp h4 {clear:left}
  .mp pre {margin-bottom:20px}
  .mp pre+h2,.mp pre+h3 {margin-top:22px}
  .mp h2+pre,.mp h3+pre {margin-top:5px}
  .mp img {display:block;margin:auto}
  .mp h1.man-title {display:none}
  .mp,.mp code,.mp pre,.mp tt,.mp kbd,.mp samp,.mp h3,.mp h4 {font-family:monospace;font-size:14px;line-height:1.42857142857143}
  .mp h2 {font-size:16px;line-height:1.25}
  .mp h1 {font-size:20px;line-height:2}
  .mp {text-align:justify;background:#fff}
  .mp,.mp code,.mp pre,.mp pre code,.mp tt,.mp kbd,.mp samp {color:#131211}
  .mp h1,.mp h2,.mp h3,.mp h4 {color:#030201}
  .mp u {text-decoration:underline}
  .mp code,.mp strong,.mp b {font-weight:bold;color:#131211}
  .mp em,.mp var {font-style:italic;color:#232221;text-decoration:none}
  .mp a,.mp a:link,.mp a:hover,.mp a code,.mp a pre,.mp a tt,.mp a kbd,.mp a samp {color:#0000ff}
  .mp b.man-ref {font-weight:normal;color:#434241}
  .mp pre {padding:0 4ex}
  .mp pre code {font-weight:normal;color:#434241}
  .mp h2+pre,h3+pre {padding-left:0}
  ol.man-decor,ol.man-decor li {margin:3px 0 10px 0;padding:0;float:left;width:33%;list-style-type:none;text-transform:uppercase;color:#999;letter-spacing:1px}
  ol.man-decor {width:100%}
  ol.man-decor li.tl {text-align:left}
  ol.man-decor li.tc {text-align:center;letter-spacing:4px}
  ol.man-decor li.tr {text-align:right;float:right}
  </style>
</head>
<!--
  The following styles are deprecated and will be removed at some point:
  div#man, div#man ol.man, div#man ol.head, div#man ol.man.

  The .man-page, .man-decor, .man-head, .man-foot, .man-title, and
  .man-navigation should be used instead.
-->
<body id='manpage'>
  <div class='mp' id='man'>

  <div class='man-navigation' style='display:none'>
    <a href="#NAME">NAME</a>
    <a href="#SYNOPSIS">SYNOPSIS</a>
    <a href="#DESCRIPTION">DESCRIPTION</a>
    <a href="#OPTIONS">OPTIONS</a>
  </div>

  <ol class='man-decor man-head man head'>
    <li class='tl'>zmap(1)</li>
    <li class='tc'></li>
    <li class='tr'>zmap(1)</li>
  </ol>

  <h2 id="NAME">NAME</h2>
<p class="man-name">
  <code>zmap</code> - <span class="man-whatis">The Fast Internet Scanner</span>
</p>

<h2 id="SYNOPSIS">SYNOPSIS</h2>

<p>zmap [ -p &lt;port> ] [ -o &lt;outfile&gt; ] [ OPTIONS... ] [ ip/hostname/range ]</p>

<h2 id="DESCRIPTION">DESCRIPTION</h2>

<p><em>ZMap</em> is a network tool for scanning the entire Internet (or large samples).
ZMap is capable of scanning the entire Internet in around 45 minutes on a
gigabit network connection, reaching ~98% theoretical line speed.</p>

<h2 id="OPTIONS">OPTIONS</h2>

<h3 id="BASIC-OPTIONS">BASIC OPTIONS</h3>

<dl>
<dt> <code>ip</code>/<code>hostname</code>/<code>range</code></dt><dd><p> IP addresses or DNS hostnames to scan. Accepts IP ranges in CIDR block
 notation. Defaults to 0.0.0/8</p></dd>
<dt> <code>-p</code>, <code>--target-port=port</code></dt><dd><p> TCP or UDP port number to scan (for SYN scans and basic UDP scans)</p></dd>
<dt> <code>-o</code>, <code>--output-file=name</code></dt><dd><p> When using an output module that uses a file, write results to this file.
 Use - for stdout.</p></dd>
<dt> <code>-b</code>, <code>--blacklist-file=path</code></dt><dd><p> File of subnets to exclude, in CIDR notation, one-per line. It is
 recommended you use this to exclude RFC 1918 addresses, multicast, IANA
 reserved space, and other IANA special-purpose addresses. An example
 blacklist file <strong>blacklist.conf</strong> for this purpose.</p></dd>
</dl>


<h3 id="SCAN-OPTIONS">SCAN OPTIONS</h3>

<dl>
<dt> <code>-n</code>, <code>--max-targets=n</code></dt><dd><p> Cap the number of targets to probe. This can either be a number (e.g. -n
 1000) or a percentage (e.g. -n 0.1%) of the scannable address space
 (after excluding blacklist)</p></dd>
<dt> <code>-N</code>, <code>--max-results=n</code></dt><dd><p> Exit after receiving this many results</p></dd>
<dt> <code>-t</code>, <code>--max-runtime=secs</code></dt><dd><p> Cap the length of time for sending packets</p></dd>
<dt> <code>-r</code>, <code>--rate=pps</code></dt><dd><p> Set the send rate in packets/sec</p></dd>
<dt> <code>-B</code>, <code>--bandwidth=bps</code></dt><dd><p> Set the send rate in bits/second (supports suffixes G, M, and K (e.g. -B
 10M for 10 mbps). Thi   s overrides the --rate flag.</p></dd>
<dt> <code>-c</code>, <code>--cooldown-time=secs</code></dt><dd><p> How long to continue receiving after sending has completed (default=8)</p></dd>
<dt> <code>-e</code>, <code>--seed=n</code></dt><dd><p> Seed used to select address permutation. Use this if you want to scan
 addresses in the same order for multiple ZMap runs.</p></dd>
<dt> <code>--shards=N</code></dt><dd><p> Split the scan up into N shards/partitions among different instances of
 zmap (default=1). When sharding, <strong>--seed</strong> is required.</p></dd>
<dt> <code>--shard=n</code></dt><dd><p> Set which shard to scan (default=0). Shards are 0-indexed in the range
 [0, N), where N is the    total number of shards. When sharding
 <strong>--seed</strong> is required.</p></dd>
<dt> <code>-T</code>, <code>--sender-threads=n</code></dt><dd><p> Threads used to send packets. ZMap will attempt to detect the optimal
 number of send threads based on the number of processor cores.</p></dd>
<dt> <code>-P</code>, <code>--probes=n</code></dt><dd><p> Number of probes to send to each IP (default=1)</p></dd>
<dt> <code>-d</code>, <code>--dryrun</code></dt><dd><p> Print out each packet to stdout instead of sending it (useful for
 debugging)</p></dd>
</dl>


<h3 id="NETWORK-OPTIONS">NETWORK OPTIONS</h3>

<dl>
<dt> <code>-s</code>, <code>--source-port=port|range</code></dt><dd><p> Source port(s) to send packets from</p></dd>
<dt> <code>-S</code>, <code>--source-ip=ip|range</code></dt><dd><p> Source address(es) to send packets from. Either single IP or range (e.g.
 10.0.0.1-10.0.0.9)</p></dd>
<dt> <code>-G</code>, <code>--gateway-mac=addr</code></dt><dd><p> Gateway MAC address to send packets to (in case auto-detection does not
 work)</p></dd>
<dt> <code>-i</code>, <code>--interface=name</code></dt><dd><p> Network interface to use</p></dd>
</dl>


<h3 id="PROBE-OPTIONS">PROBE OPTIONS</h3>

<p>ZMap allows users to specify and write their own probe modules. Probe modules
are responsible for generating probe packets to send, and processing responses
from hosts.</p>

<dl>
<dt> <code>--list-probe-modules</code></dt><dd><p> List available probe modules (e.g. tcp_synscan)</p></dd>
<dt> <code>-M</code>, <code>--probe-module=name</code></dt><dd><p> Select probe module (default=tcp_synscan)</p></dd>
<dt> <code>--probe-args=args</code></dt><dd><p> Arguments to pass to probe module</p></dd>
<dt> <code>--list-output-fields</code></dt><dd><p> List the fields the selected probe module can send to the output module</p></dd>
</dl>


<h3 id="OUTPUT-OPTIONS">OUTPUT OPTIONS</h3>

<p>ZMap allows users to specify and write their own output modules for use with
ZMap. Output modules are responsible for processing the fieldsets returned by
the probe module, and outputing them to the user. Users can specify output
fields, and write filters over the output fields.</p>

<dl>
<dt> <code>--list-output-modules</code></dt><dd><p> List available output modules (e.g. tcp_synscan)</p></dd>
<dt> <code>-O</code>, <code>--output-module=name</code></dt><dd><p> Select output module (default=csv)</p></dd>
<dt> <code>--output-args=args</code></dt><dd><p> Arguments to pass to output module</p></dd>
<dt> <code>-f</code>, <code>--output-fields=fields</code></dt><dd><p> Comma-separated list of fields to output</p></dd>
<dt> <code>--output-filter</code></dt><dd><p> Specify an output filter over the fields defined by the probe module. See
 the output filter section for more details.</p></dd>
</dl>


<h3 id="ADDITIONAL-OPTIONS">ADDITIONAL OPTIONS</h3>

<dl>
<dt> <code>-C</code>, <code>--config=filename</code></dt><dd><p> Read a configuration file, which can specify any other options.</p></dd>
<dt> <code>-q</code>, <code>--quiet</code></dt><dd><p> Do not print status updates once per second</p></dd>
<dt> <code>-g</code>, <code>--summary</code></dt><dd><p> Print configuration and summary of results at the end of the scan</p></dd>
<dt> <code>-v</code>, <code>--verbosity=n</code></dt><dd><p> Level of log detail (0-5, default=3)</p></dd>
<dt> <code>-h</code>, <code>--help</code></dt><dd><p> Print help and exit</p></dd>
<dt> <code>-V</code>, <code>--version</code></dt><dd><p> Print version and exit</p></dd>
</dl>


<h3 id="UDP-PROBE-MODULE-OPTIONS">UDP PROBE MODULE OPTIONS</h3>

<p>These arguments are all passed using the <code>--probe-args=args</code> option. Only one
argument may be passed at a time.</p>

<dl>
<dt> <code>file:/path/to/file</code></dt><dd><p> Path to payload file to send to each host over UDP.</p></dd>
<dt> <code>template:/path/to/template</code></dt><dd><p> Path to template file. For each destination host, the template file is
 populated, set as the UDP payload, and sent.</p></dd>
<dt> <code>text:&lt;text></code></dt><dd><p> ASCII text to send to each destination host</p></dd>
<dt> <code>hex:&lt;hex></code></dt><dd><p>Hex-encoded binary to send to each destination host</p></dd>
<dt> <code>template-fields</code></dt><dd><p> Print information about the allowed template fields and exit.</p></dd>
</dl>


<h3 id="OUPUT-FILTERS">OUPUT FILTERS</h3>

<p>Results generated by a probe module can be filtered before being passed to the
output module. Filters are defined over the output fields of a probe module.
Filters are written in a simple filtering language, similar to SQL, and are
passed to ZMap using the <code>--output-filter</code> option. Output filters are commonly
used to filter out duplicate results, or to only pass only sucessful responses
to the output module.</p>

<p>Filter expressions are of the form <code>&lt;fieldname> &lt;operation> &lt;value></code>. The type of
<code>&lt;value></code> must be either a string or unsigned integer literal, and match the type
of <code>&lt;fieldname></code>. The valid operations for integer comparisons are = !=, <var>, </var>,
<var>=, </var>=. The operations for string comparisons are =, !=. The
<code>--list-output-fields</code> flag will print what fields and types are available for
the selected probe module, and then exit.</p>

<p>Compound filter expressions may be constructed by combining filter expressions
using parenthesis to specify order of operations, the &amp;&amp; (logical AND) and ||
(logical OR) operators.</p>

<p>For example, a filter for only successful, non-duplicate responses would be
written as: <code>--output-filter="success = 1 &amp;&amp; repeat = 0"</code></p>


  <ol class='man-decor man-foot man foot'>
    <li class='tl'></li>
    <li class='tc'>June 2015</li>
    <li class='tr'>zmap(1)</li>
  </ol>

  </div>
</body>
</html>