Preparation
You can run rustscan first to find open ports, and then use nmap to analyze the services exposed.
rustscan -u 10000 --scripts none -a <comma-delimited list of CIDRs, IPs, or hosts>RustScan’s scripting engine is extensible but difficult to set up, so we disable it here with --scripts none and run nmap ourselves.
You may need to increase the local router’s nf_conntrack_max sysctl variable. 262144 connections tracked should take less than 100 MiB of RAM.
sysctl net.netfilter.nf_conntrack_max=262144
You may also consider reducing net.netfilter.nf_conntrack_tcp_timeout_syn_sent to let connection tracking end sooner if the remote port is unresponsive (i.e. filtered). The default 120 seconds is too long.
Nmap Flags
-oX <file>: Output scan in XML format to<file>. Use-for stdout. You could also use-oNor-oGfor normal and Grep-able format, respectively.-v: Increase verbosity level. Most changes only affect interactive and normal output. Use if you want to watch scan progress.
Connect Scan Timing: About 1.03% done; ETC: 20:25 (1:00:00 remaining)
-sV: Probe open ports to determine service/version info.-A: Presently this enables OS detection (-O), version scanning (-sV), script scanning (-sC) and traceroute (--traceroute). Note that both OS detection and traceroute require root privileges, so normal users just get-sV -sC.-Pn: Treat all hosts as online — skip host discovery.-T paranoid|sneaky|polite|normal|aggressive|insane: Set timing template (higher is faster). You can specify them with the -T option and their number (0–5) or their name. If you are on a decent broadband or ethernet connection, I would recommend always using -T4.--min-rate <number>: Override Nmap’s dynamic timing to send packets no slower than<number>per second. When the option is given, Nmap will do its best to send packets as fast as or faster than the given rate.