Option -oN <filespec> (Normal output):
Requests that normal output be directed to the given filename. As discussed above, this differs slightly from interactive output.
Option -oX <filespec> (XML output):
Requests that XML output be directed to the given filename. Nmap includes a document type definition (DTD) which allows XML parsers to validate Nmap XML output. While it is primarily intended for programmatic use, it can also help humans interpret Nmap XML output. The DTD defines the legal elements of the format, and often enumerates the attributes and values they can take on. The latest version is always available from http://insecure.org/nmap/data/nmap.dtd.
Option -oS <filespec> (ScRipT KIdd|3 oUTpuT):
Script kiddie output is like interactive output, except that it is post-processed to better suit the l33t HaXXorZ who previously looked down on Nmap due to its consistent capitalization and spelling. Humor impaired people should note that this option is making fun of the script kiddies before flaming me for supposedly “helping them”.
Option -oG <filespec> (Grepable output):
This output format is covered last because it is deprecated. The XML output format is far more powerful, and is nearly as convenient for experienced users. XML is a standard for which dozens of excellent parsers are available, while grepable output is my own simple hack. XML is extensible to support new Nmap features as they are released, while I often must omit those features from grepable output for lack of a place to put them.
Nevertheless, grepable output is still quite popular. It is a simple format that lists each host on one line and can be trivially searched and parsed with standard UNIX tools such as grep, awk, cut, sed, diff, and Perl. Even I usually use it for one-off tests done at the command line. Finding all the hosts with the ssh port open or that are running Solaris takes only a simple grep to identify the hosts, piped to an awk or cut command to print the desired fields.
Option -oA <basename> (Output to all formats):
As a convenience, you may specify -oA basename to store scan results in normal, XML, and grepable formats at once. They are stored in basename.nmap, basename.xml, and basename.gnmap, respectively. As with most programs, you can prefix the filenames with a directory path, such as ~/nmaplogs/foocorp/ on UNIX or c:\hacking\sco on Windows.
Option -v (Increase verbosity level):
Increases the verbosity level, causing Nmap to print more information about the scan in progress. Open ports are shown as they are found and completion time estimates are provided when Nmap thinks a scan will take more than a few minutes. Use it twice for even greater verbosity. Using it more than twice has no effect.
Option -d [level] (Increase or set debugging level):
When even verbose mode doesn’t provide sufficient data for you, debugging is available to flood you with much more! As with the verbosity option (-v), debugging is enabled with a command-line flag (-d) and the debug level can be increased by specifying it multiple times. Alternatively, you can set a debug level by giving an argument to -d. For example, -d9 sets level nine. That is the highest effective level and will produce thousands of lines unless you run a very simple scan with very few ports and targets.
Option –packet-trace (Trace packets and data sent and received):
Causes Nmap to print a summary of every packet sent or received. This is often used for debugging, but is also a valuable way for new users to understand exactly what Nmap is doing under the covers. To avoid printing thousands of lines, you may want to specify a limited number of ports to scan, such as -p20-30. If you only care about the goings on of the version detection subsystem, use –version-trace instead.
Option –open (Show only open (or possibly open) ports):
Sometimes you only care about ports you can actually connect to (open ones), and don’t want results cluttered with closed, filtered, and closed|filtered ports. Output customization is normally done after the scan using tools such as grep, awk, and Perl, but this feature was added due to overwhelming requests. Specify –open to only see open, open|filtered, and unfiltered ports. These three ports are treated just as they normally are, which means that open|filtered and unfiltered may be condensed into counts if there are an overwhelming number of them.
Option –iflist (List interfaces and routes):
Prints the interface list and system routes as detected by Nmap. This is useful for debugging routing problems or device mischaracterization (such as Nmap treating a PPP connection as Ethernet).
Option –log-errors (Log errors/warnings to normal mode output file):
Warnings and errors printed by Nmap usually go only to the screen (interactive output), leaving any specified normal-fomat output files uncluttered. But when you do want to see those messages in the normal output file you specified, add this option. It is useful when you aren’t watching the interactive output or are trying to debug a problem. The messages will also still appear in interactive mode. This will not work for most errors related to bad command-line arguments, as Nmap may not have initialized its output files yet. In addition, some Nmap error/warning messages use a different system that does not yet support this option. An alternative to using this option is redirecting interactive output (including the standard error stream) to a file. While most UNIX shells make that approach easy, it can be difficult on Windows.