ZMap

ZMap is a high-speed, stateless network scanner purpose-built for Internet-scale surveys. Unlike Nmap, which maintains per-connection state to track probe/response pairs, ZMap encodes all session-tracking information directly into the probe packet itself using TCP initial sequence numbers or ICMP identifiers. This allows the send and receive paths to operate fully asynchronously and eliminates the per-flow memory overhead that bounds traditional scanners. By iterating through the 32-bit IPv4 address space using a cyclic multiplicative group — a permutation that visits every address exactly once in pseudo-random order — ZMap distributes load evenly and avoids overwhelming individual network segments.

The tool achieves line-rate performance at up to 1.37 million packets per second at 1 Gbps by running entirely in user space using raw socket access and optional kernel-bypass interfaces (netmap, PF_RING). A single probe per host detects approximately 98% of live hosts. ZMap ships probe modules for TCP SYN, ICMP, DNS, UPnP, and BACnet and outputs results as structured CSV, JSON, or binary formats. For application-layer follow-up — banner grabbing, TLS certificate extraction, HTTP probing — the companion tool ZGrab2 accepts ZMap’s output directly.

Introduced at USENIX Security 2013, ZMap has underpinned over 300 peer-reviewed papers and enabled landmark findings including the Heartbleed impact assessment, widespread weak RSA key discovery, and IoT/ICS vulnerability surveys. Enterprise security companies including Censys, Palo Alto Networks, and Rapid7 have built attack surface management products on top of it. Its research pedigree and proven scale make it the foundational tool for Internet measurement and large-scale reconnaissance.