ZMap — Fast Single-Packet Internet-Wide Network Scanner

Introduction

ZMap is a stateless network scanner designed for large-scale network surveys. Developed at the University of Michigan, it uses a technique of sending one probe packet per target without maintaining connection state, enabling it to scan billions of addresses orders of magnitude faster than traditional tools like nmap.

What ZMap Does

• Scans large network ranges at speeds exceeding millions of packets per second on commodity hardware
• Uses stateless probing to eliminate per-connection memory overhead during scanning
• Supports TCP SYN, ICMP echo, UDP, and custom probe modules for different scan types
• Outputs results in CSV, JSON, or Redis format for integration with analysis pipelines
• Randomizes scan order cryptographically to distribute probes evenly across the target space

Architecture Overview

ZMap operates on a send/receive split architecture. The send path generates packets using a permutation-based algorithm that visits each target exactly once in pseudo-random order without maintaining a list. The receive path captures responses asynchronously via libpcap. This stateless design means memory usage is constant regardless of the number of targets — enabling internet-scale scanning from a single machine.

Self-Hosting & Configuration

• Requires root or CAP_NET_RAW capability to send raw packets
• Configuration via CLI flags or a config file for default options like bandwidth and interface
• Blocklist file support to exclude sensitive or reserved address ranges from scans
• Output modules support direct piping to ZGrab2 for application-layer handshake completion
• Rate limiting via -r flag prevents overwhelming network infrastructure

Key Features

• Stateless design scans the entire IPv4 space in under 45 minutes at 10Gbps
• Cryptographic permutation ensures uniform random scan order without storing target lists
• Modular probe architecture supports custom packet formats beyond built-in TCP/UDP/ICMP
• Integration with ZGrab2 for follow-up application-layer data collection (TLS certs, HTTP banners)
• Constant memory usage regardless of scan scope — no per-target state stored

Comparison with Similar Tools

• nmap — feature-rich but connection-stateful and slow for large ranges; ZMap trades depth for internet-scale speed
• masscan — similar stateless approach with comparable speed; ZMap has stronger academic backing and ZGrab2 integration
• Shodan/Censys — cloud-hosted internet scan databases; ZMap lets you run your own scans with custom probes
• Unicornscan — asynchronous scanner but less maintained and slower than ZMap at scale

FAQ

Q: Is it legal to use ZMap? A: Running ZMap is legal in most jurisdictions, but scanning networks you do not own may violate terms of service. Always use blocklists and scan responsibly.

Q: How much bandwidth does a full IPv4 scan consume? A: At the default rate, a full scan takes several hours. At 1Gbps, it completes in about 45 minutes. Adjust with -B (bandwidth) or -r (rate).

Q: Can ZMap detect which services are running on open ports? A: ZMap only identifies open ports. Use ZGrab2 as a follow-up tool to perform application-layer handshakes and banner grabbing.

Q: Does ZMap support IPv6 scanning? A: ZMap primarily targets IPv4. The IPv6 address space is too large for brute-force enumeration, requiring different approaches.

Sources

• https://github.com/zmap/zmap
• https://zmap.io/